SOLVING  THE  DILEMMA  OF  STATE  RESPONSES 
TO  CYBERATTACKS:  A  JUSTIFICATION  FOR 
THE  USE  OF  ACTIVE  DEFENSES  AGAINST 
STATES  WHO  NEGLECT  THEIR  DUTY  TO  PREVENT 


A  Thesis  Presented  to  The  Judge  Advocate  General’s  School, 
United  States  Army,  in  partial  satisfaction  of  the  requirements 
for  the  Degree  of  Master  of  Laws  (LL.M.)  in  Military  Law 


The  opinions  and  conclusions  expressed  here  are  those  of  the  author  and  do  not 
necessarily  represent  the  views  of  either  The  Judge  Advocate  General’s  School, 
the  United  States  Navy,  the  Department  of  Defense,  or  any  other  government  agency. 


05 

n 

^  (TJ 

IIJ  05  T3 

l'  ’  cc  p 

(“  3  o  •  — 


L  -c:  ^ 
(r>  r 
-■V  n.  c 
'  ■  o 
n 

ZD 

■  'o  n 


CO 

Q 


'  -izj 
6 

a. 


< 


By  Lieutenant  Matthew  J.  Sklerov 
Judge  Advocate  General’s  Corps 
United  States  Navy 


57^'’  Judge  Advocate  Officer  Graduate  Course 
April  2009 


20100420262 


SOLVING  THE  DILEMMA  OF  STATE  RESPONSES  TO  CYBERATTACKS: 

A  JUSTIFICATION  FOR  THE  USE  OF  ACTIVE  DEFENSES  AGAINST  STATES 
WHO  NEGLECT  THEIR  DUTY  TO  PREVENT 

Lieutenant  Matthew  J.  Sklerov* 


Judge  Advocate,  United  States  Navy.  Presently  assigned  as  Student,  57th  Judge  Advocate  Officer  Graduate 
Course,  The  Judge  Advocate  General’s  School,  United  States  Army,  Charlottesville,  Virginia.  J.D.,  2002,  The 
University  of  Texas  School  of  Law;  B.A.,  1997,  State  University  ofNew  York  at  Binghamton  (cum  laude)] 

A. A.,  1995,  State  University  ofNew  York  at  Rockland.  Previous  assignments  include  Deputy  Command  Judge 
Advocate,  USS  NIMITZ  (CVN  68),  2006-2008;  Command  Judge  Advocate,  Naval  Air  Station,  Kingsville, 
Texas,  2004-2006;  Trial  Counsel,  Trial  Service  Office  West,  Detachment  Bremerton,  Washington,  2003-2004. 
Member  of  the  bars  of  Texas,  the  U.S.  District  Court  for  the  Southern  District  of  Texas,  the  U.S.  Court  of 
Appeals  for  the  Armed  Forces,  and  the  U.S.  Supreme  Court.  This  article  was  submitted  in  partial  completion  of 
the  Master  of  Laws  requirements  of  the  57th  Judge  Advocate  Officer  Graduate  Course.  The  author  would  like 
to  thank  Major  J.  Jeremy  Marsh,  U.S.  Air  Force,  for  his  invaluable  assistance  with  this  article. 


Table  of  Contents 


I.  Introduction . 1 

II.  Cyberattacks,  a  Growing  International  Threat . 3 

A.  The  Legal  Dilemma  of  State  Responses  to  Cyberattacks . 6 

B.  The  Importance  of  Using  Active  Defenses . 1 1 

III.  Examining  Cyberattacks . 14 

A.  Types  of  Cyberattacks . 15 

B.  Potential  Impact  of  Cyberattacks . 1 9 

C.  Defenses  against  Cyberattacks . 24 

IV.  The  General  Framework  of  Jus  ad  Bellunt . 32 

A.  General  Prohibition  on  the  Use  of  Force . 33 

B.  Actions  Authorized  by  the  United  Nations  Security  Council . 34 

C.  Self-Defense . 36 

D.  Anticipatory  Self-Defense . 40 

E.  Proportionate  Countermeasures  /  Reprisals . 43 

V.  Non-State  Actors  Complicate  the  General  Framework  of  Jus  ad  Bellunt', 

However,  Imputing  State  Responsibility  Allows  States  to  Deal  with  Them . 45 

A.  Armed  Attacks  by  Non-State  Actors . 47 

B.  Duties  Between  States . 51 

C.  Imputing  State  Responsibility  for  Acts  by  Non-State  Actors . 53 

D.  Cross  Border  Operations . 57 

VI.  Analyzing  Cyberattacks  under  Jus  ad  Bellum . 61 

A.  Cyberattacks  as  Armed  Attacks . 62 

B.  Modernizing  the  Approach  to  State  Responsibility  for  Cyberattacks . 72 

C.  The  Duty  to  Prevent  Cyberattacks . 76 

1 .  Support  from  International  Conventions . 77 

2.  Support  from  State  Practice . 79 

3 .  Support  from  the  General  Principles  of  Law . 84 

4.  Support  from  Judicial  Opinions . 85 

5.  Further  Defining  a  State’s  Duty  to  Prevent  Cyberattacks . 86 

I 


D.  Becoming  a  Sanctuary  State:  Practices  that  Lead  to  State  Responsibility . 87 

VII.  The  Choice  to  Use  Active  Defenses:  Moving  Towards  a  Workable  Approach ..  88 


A.  Technological  Limitations  and  Jus  ad  Bellum  Analysis . 89 

1 .  Limitations  on  Attack  Detection . 90 

2.  Limitations  on  Attack  Classification . 91 

3 .  Limitations  on  Attack  Traces . 94 

B.  Jus  in  Bello  Issues  Related  to  the  Use  of  Active  Defenses . 95 

1.  Active  Defenses,  the  Most  Appropriate  Forceful  Response . 96 

2.  Technological  Limitations  and  Jus  in  Bello  Analysis . 98 

VIII.  Conclusion . 101 


II 


How  do  you  account  for  your  discoveries?  Through  intuition  or  inspiration?^ 

Both.  ...  I’m  enough  of  an  artist  to  draw  freely  on  my  imagination,  which  I 
think  is  more  important  than  knowledge.  Knowledge  is  limited,  imagination 
encircles  the  world.^ 

I.  Introduction 

The  greatest  advances  in  law,  like  those  in  science,  come  through  imagination.  When 
scientific  knowledge  fails  to  explain  new  discoveries  about  the  universe,  scientists  advance 
new  theories  to  account  for  their  discoveries — so  too  with  the  law.  Revolutions  in 
technology,  like  the  Internet,  challenge  the  framework  that  regulates  international  armed 
conflict.  Legal  scholars  must  use  imagination  to  find  ways  to  tackle  this  problem.  If  not,  the 
law  will  become  obsolete  and  meaningless  to  the  states  that  need  its  guidance. 

Man  has  long  sought  to  regulate  warfare.  From  the  Chivalric  Code  to  the  U.N.  Charter, 
man  has  placed  restraints  on  the  times  one  can  resort  to  war  and  the  methods  with  which  it  is 
conducted.  There  are  a  variety  of  reasons  why,  but,  to  generalize,  regulations  are  the 
response  to  perceived  problems  with  the  state  of  war  at  a  given  time.  Sometimes  these 
perceptions  are  the  result  of  shifts  in  the  social  conscience.  At  other  times,  values  haven’t 
changed  at  all,  but  problems  arise  due  to  radical  changes  in  the  way  war  is  waged. 

As  warfare  changes,  so  must  the  law;  and  warfare  is  changing  fast.  Traditionally,  the 
instruments  of  war  were  only  controlled  by  states.  However,  in  today’s  world  of  globally 
interconnected  computer  systems,  non-state  actors  with  a  laptop  computer  and  an  Internet 

*  George  Sylvester  Viereck,  What  Life  Means  to  Einstein:  An  Interview  by  George  Sylvester  Viereck,  PHILA. 
Saturday  Evening  Post,  Oct.  29,  1929,  at  1 13  (questioning  Albert  Einstein  about  his  discoveries). 

^  M  at  1 17  (quoting  Albert  Einstein’s  response  to  his  questions). 


1 


connection  can  attack  the  critical  infrastructure^  of  another  state  from  across  the  world.  This 
is  a  major  paradigm  shift,  which  the  law  of  war,  today,  fails  to  adequately  address. 

This  paper  will  explore  the  unique  challenges  that  cyberattacks'*  pose  to  the  law  of  war 
and  provide  an  analytical  framework  for  dealing  with  them.  Once  the  current  state  of  the  law 
of  war  is  fully  explored,  this  paper  will  demonstrate  its  author’s  conclusions  that  states  have  a 
right  under  international  law  to:  (1)  view  and  respond  to  cyberattacks  as  acts  of  war  and  not 
solely  as  criminal  matters;  and  (2)  use  active,  and  not  just  passive,  defenses^  against  the 
computer  networks  in  other  states,  that  may  or  may  not  have  initiated  an  attack,  but  have 
neglected  their  duty  to  prevent  cyberattacks  from  within  their  borders. 

These  conclusions  are  demonstrated  over  the  next  seven  parts  of  this  paper.  Part  II 
provides  background  on  the  threat  that  international  cyberattacks  pose  to  states,  the  legal 
problems  that  states  encounter  when  dealing  with  them,  and  why  current  interpretations  of 
the  law  of  war  actually  endanger  states.  Part  III  provides  background  on  cyberattack 
methods,  destructive  capabilities  and  defenses.  Part  IV  lays  out  the  basic  framework  for 
analyzing  armed  attacks.  Part  V  explores  the  challenges  that  non-state  actors  present  to  the 
basic  framework  of  the  law  of  war.  Part  VI  analyzes  cyberattacks  under  the  law  of  war.  It 


^  “Critical  infrastructure  are  those  systems,  physical  or  virtual,  whose  incapacitation  or  destruction  would  have  a 
debilitating  impact  on  the  nation’s  security,  economy,  public  health  or  public  safety.”  Critical  Infrastructure 
Protection  Act  of2001,  42  U.S.C.S.  §  5195c  (2001). 

This  paper  uses  derivatives  of  the  root  word  cyber,  such  as  cyberattack,  cyberthreat  and  cyberwarfare.  Cyber 
may  be  used  as  an  adjective  or  combining  form  that  when  used  in  connection  with  other  words,  defines  them  as 
relating  to  computers  or  computer  networks.  So,  a  cyberattack  would  be  an  attack  carried  out  against  a 
computer  or  computer  network;  a  cyberthreat  would  be  a  threat  to  a  computer  or  computer  network.  Merriam- 
Webster  Online  Dictionary,  http://www.merriam-webster.com/dictionary/cyber  (last  visited  Mar.  22,  2009). 

^  Active  defenses  are  electronic  counter-measures  designed  to  strike  attacking  computer  systems,  shutting  them 
down  and  stopping  a  cyberattack  from  them  midstream.  Eric  Jensen,  Computer  Attacks  on  Critical  National 
Infrastructure:  A  Use  of  Force  Invoking  the  Right  of  Self-Defense,  38  STAN.  J.  INT’L  L.  207, 230  (2002). 

Passive  defenses  are  the  traditional  forms  of  computer  security  used  to  defend  computer  networks,  such  as 
system  access  controls,  data  access  controls,  security  administration,  and  secure  system  design.  Id. 


1 


demonstrates  that  cyberattacks  can  qualify  as  acts  of  war,  that  states  have  a  duty  to  prevent 
cyberattacks,  and  that  victim-states  have  a  right  to  use  active  defenses  against  host-states  that 
neglect  their  duty  to  prevent  cyberattacks.  Part  VII  examines  the  choice  to  use  active 
defenses.  It  explains  why  states  should  use  active  defenses  against  cyberattacks,  explains  the 
technological  limits  to  detecting,  classifying  and  tracing  cyberattacks,  and  explores  the 
impact  these  technological  limitations  will  have  on  state  decision-making.  Finally,  Part  VIII 
urges  states  to  start  using  active  defenses  to  protect  themselves  from  cyberattacks  originating 
from  states  that  neglect  their  duty  to  prevent. 

II.  Cyberattacks,  a  Growing  International  Threat 

The  Internet  is  essential  to  every  modem  country  in  the  world.  It  is  one  of  the 
cornerstones  of  commerce.^  Strategic  government  activities  are  directed  through  it.^  Energy 
production  and  distribution,  water  treatment  facilities,  mass  transit  and  emergency  services 
are  controlled  through  it.  The  more  developed  a  country  is,  the  more  it  depends  on  it. 
Indeed,  networked  computers  have  become  the  nervous  system  of  modem  society.* *® 

Global  cormectivity,  however,  is  a  two-edged  sword.  While  it  provides  tremendous 
benefits  to  states,  it  also  opens  the  door  to  state  and  non-state  actors  who  wish  to  attack  and 

®  See  Andrew  Colarik,  Cyber  Terrorism,  Political  and  Economic  Implications,  at  viii-xi  (2006) 
(noting  that  trillions  of  dollars  of  electronic  banking  and  global  stock  trading  are  conducted  over  it  each  year). 

^  Id.  at  viii-xi. 

*  Id.  at  viii-xi. 

’  Id.  atxii. 

The  White  House,  the  National  Strategy  to  Secure  Cyberspace,  at  vii  (2003). 


3 


disrupt  a  state’s  critical  information  systems.”  Furthermore,  it  is  now  undisputed  that  these 
attacks  can  have  catastrophic  consequences,  such  as  bringing  a  state’s  economy  to  its  knees, 
weakening  its  national  defense  posture,  or  causing  the  loss  of  life.'^  While  these  doomsday 
scenarios  may  seem  farfetched,  the  reality  is  that  catastrophic  cyberattacks  are  more  likely  to 
occur  as  states  grow  more  reliant  on  the  Internet,'^  as  terrorists  increasingly  look  to  use 
cyberattacks  against  states, and  as  cyberattacks  become  more  frequent  and  potent.'* 

No  state  is  safe  from  cyberattacks.  Recent  high-profile  cyberattacks  highlight  such 
vulnerability.  In  July  2008,  shortly  before  armed  conflict  broke  out  between  Russia  and 
Georgia,  hackers  barraged  Georgia’s  Internet  infrastructure  with  coordinated  cyberattacks.'* 
The  attacks  overloaded  and  shut  down  many  of  Georgia’s  computer  servers,  and  impaired 
Georgia’s  ability  to  disseminate  information  to  its  citizens  during  its  armed  conflict  with 


"  COLARIK,  supra  note  6,  at  xii. 

The  white  House,  the  National  strategy  to  Secure  Cyberspace  6-7  (2003);  see  also  infra  Part  lll.B. 

See  Richard  Garnett  &  Paul  Clarke,  Cyberterrorism:  A  New  Challenge  for  International  Law,  in  ENFORCING 
International  Law  Norms  Against  Terrorism  465, 487  (Andrea  Bianchi  ed.,  2004);  Dana  shea,  Cong. 
Research  Serv.  Report,  Critical  Infrastructure;  Control  Systems  and  the  Terrorist  Threat,  RL 
31534,  at  CRS-1  to  CRS-3  (2003). 

See  Shea,  supra  note  13,  at  CRS-6  to  CRS-7;  see  also  L.  Gordon  Crovitz,  Internet  Attacks  are  a  Real  and 
Growing  Problem,  WALL  STREET  J.,  Dec.  15, 2008,  at  17  (describing  terrorist  attempts  to  trick  military 
computers  into  mistaking  the  identities  of  friendly  and  unfriendly  forces  in  Afghanistan  and  Iraq). 

See  Clay  Wilson,  Cong.  Research  Serv.  Report,  Botnets,  Cybercrime,  and  Cyberterrorism: 
Vulnerabilities  and  Policy  Issues  for  Congress,  RL  321 14,  at  CRS-7  to  CRS-8  (2007)  (noting 
cyberattacks  are  growing  more  frequent  due  to  the  use  of  automated  attack  programs;  cyberattacks  now  happen 
so  often  the  Computer  Emergency  Response  Team  Coordination  Center  gave  up  tracking  them,  after  tracking 
several  hundred  thousand  successful  attacks  a  year  for  several  years);  JOHN  ROLLINS  &  CLAY  WILSON,  CONG. 
Research  Serv.  Report,  Terrorist  Capabilities  for  Cyberattack:  Overview  and  Policy  Issues,  RL 
33 123,  at  CRS-1 7  (2007)  (reporting  that  the  Department  of  Defense  experiences  more  than  three  million  scans 
of  their  computer  systems  each  day  by  potential  attacks,  and  that  in  according  to  a  study  by  IBM  in  2005,  there 
were  roughly  237  million  cyberattacks  conducted  globally  in  the  first  half  of  the  year);  John  Markoff,  Internet 
Attacks  Grow  More  Potent,  N.Y.  TIMES,  Nov.  10, 2008,  at  B8  (describing  the  increasing  capabilities  of 
distributed-denial-of-service  attacks  to  shut  down  computer  systems  and  overcome  computer  defenses). 

John  Markoff,  Before  the  Gunfire,  Cyberattacks,  N.Y.  TIMES,  Aug.  13,  2008,  at  Al. 


4 


Russia.’’  In  June  2007,  Chinese  hackers  disabled  1,500  Pentagon  computers,  including  those 
of  the  Secretary  of  Defense.'^  In  April  2007,  cyberattacks  from  Russia  crippled  the 
government  and  commercial  computer  networks  of  Estonia.'®  These  attacks  lasted 
approximately  three  weeks,  disrupted  Estonia’s  ability  to  govern,  harmed  Estonia’s  economy, 
and  damaged  their  networks  so  badly  that  Estonia  had  to  reach  out  to  its  NATO  allies  to  help 
recover  from  the  attacks.’®  These  are  some  of  the  more  egregious  international  cyberattacks; 
however,  there  have  been  numerous  others,  often  with  severe  consequences  to  the  victim- 
states.”  Given  the  potentially  catastrophic  consequences  of  cyberattacks,  it  is  imperative  for 
states  to  be  able  to  effectively  defend  themselves. 


Mark  Hosenball,  Whacking  Hackers,  NEWSWEEK,  Oct.  15,  2007,  at  10. 

’’  Mark  Landler  &  John  Markoff,  After  Computer  Siege  on  Estonia,  War  Fears  Turn  to  Cyberspace,  N.Y. 
Times,  May  29,  2007,  at  A 1 ;  James  Stemgold,  U.S.  on  Guard  Against  Computer  Attacks;  Estonia 's  Disruption 
Shows  Need  to  Fortify  Internet 's  Defenses,  San  FRANCISCO  CHRONICLE,  June  24,  2007,  at  A4. 

Landler  &  Markoff,  supra  note  19,  at  Al;  WILSON,  supra  note  15,  at  CRS-7  to  CRS-8. 

See,  e.g.,  Siobhan  Gorman  et  al..  Computer  Spies  Breach  Fighter  Jet  Projects,  WallStreET  J.,  Apr.  21, 
2009,  at  Al  (describing  Chinese  cyberattacks  against  the  U.S.  Joint  Strike  Fighter  project),  Siobhan  Gorman, 
Electric  Grid  in  U.S.  Penetrated  by  Spies,  WALL  STREET  J.,  Apr.  8, 2009,  at  Al  (describing  Chinese 
cyberattacks  against  U.S.  electric  grids),  Christopher  Rhoads,  Kyrgyzstan  Knocked  Offline,  Wall  STREET  J., 
Jan.  28, 2009,  at  10  (discussing  the  January  2009  denial-of-service  attacks  from  Russia  which  effectively 
knocked  Kyrgyzstan  offline);  Julian  Barnes,  Cyber  Attack  has  Pentagon  Worried:  Russia  Eyed  in  Hit  on 
Defense  Networks,  CHI.  Trib.,  Nov.  30,  2008,  at  C16  (discussing  the  November  2008  cyberattacks  from  Russia 
which  disrupted  U.S.  Central  Command’s  classified  computer  networks);  Demetri  Sevastopulo,  Chinese 
Hackers  Penetrate  White  House  Network,  FIN.  TIMES  ONLINE,  Nov.  7,  2008,  http://www.ft.eom/cms/s/0/ 
fl6027f0-ac6e-l  Idd-bf71-000077b07658.html?nclick_check=l  (discussing  the  cyberattacks  from  China  that 
penetrated  the  White  House’s  computer  network  in  autumn  2008,  and  the  Obama  and  McCain  presidential 
campaign  networks  in  summer  2008);  Rhys  Blakely  et  al.,  MIS  Alert  on  China ’s  Cyberspace  Spy  Threat,  TIMES 
ONLINE,  Dec.  1 ,  2007,  http://business.timesonline.co.uk/toLT)usiness/industry_sectors/technology/ 
article2980250.ece  (discussing  the  November  2007  cyberattacks  from  China  against  vital  British  commercial, 
governmental  and  military  systems);  Liam  Tung,  China  Accused  of  Cyberattacks  on  New  Zealand,  CNET 
News.COM,  Sept.  13,  2007,  http://news.cnet.eom/China-accused-of-cyberattacks-on-New-Zealand/2100- 
7348_3-6207678.html  (discussing  the  September  2007  cyberattacks  from  China  against  New  Zealand’s 
government  networks);  Merkel’s  China  Visit  Marred  by  Hacking  Allegations,  DER  SPIEGEL  ONLINE,  Aug.  27, 
2007,  http://www.spiegel.de/intemational/world/0,1518,502169,00.html  (discussing  the  August  2007 


5 


A.  The  Legal  Dilemma  of  State  Responses  to  Cyberattacks 


Unfortunately,  state  responses  to  cyberattacks  are  governed  by  an  anachronistic  legal 
regime  which  impairs  a  state’s  ability  to  defend  itself.  No  comprehensive  treaty  exists  to 
regulate  international  cyberattacks. Consequently,  states  must  practice  law  by  analogy: 
either  equating  cyberattacks  to  traditional  armed  attacks  and  responding  to  them  under  the 
law  of  war,  or  equating  them  to  criminal  activity  and  dealing  with  them  as  a  criminal 
matter.^^  The  prevailing  view  of  states  and  legal  scholars  is  that  international  cyberattacks 
must  be  treated  as  a  criminal  matter  because  the  law  of  war  forbids  them  from  responding 
with  force  unless  an  attack  can  be  attributed  to  a  foreign  state  or  its  agents.^'*  This  limited 
view  of  the  law  of  war  is  problematic  for  two  reasons.  First,  it  confines  state  computer 


cyberattacks  from  China  against  Germany’s  government);  Roger  Boyes,  China  Accused  of  Hacking  into  Heart 
of  Merkel  Administration,  TIMES  ONLINE,  Aug.  27,  2007,  http://www.timesonline.co.uk/tol/news/worlcl/europe/ 
article2332130.ece  (discussing  the  August  2007  Chinese  cyberattacks  against  Germany’s  government);  see  also 
Richard  Behar,  World  Bank  Under  Cyber  Siege  in  'Unprecedented  Crisis  ’,  FOX  NEWS.COM,  Oct.  10,  2008, 
http://www.foxnews.coni/story/0%2C2933%2C435681%2C00.html  (showing  the  vulnerability  of 
intergovernmental  organizations  to  cyberattacks  through  Chinese  cyberattacks  against  the  World  Bank). 

See  Ahmad  Kamal,  The  Law  of  Cyber-Space:  An  Invitation  to  the  Table  of  Negotiations  1 70-89 
(2005);  Duncan  Hollis,  Why  States  Need  an  International  Law  for  Information  Operations,  1 1  LEWIS  &  CLARK 
L.  Rev.  1023,  1024-38  (2007);  Jon  Jurich,  Cyberwar  and  Customary  International  Law:  The  Potential  of  a 
“Bottom-up"  Approach  to  an  International  Law  of  Information  Operations,  9  CHI.  J.  INT’L  L.  275,  283  (2008). 
There  is  a  Convention  on  Cybercrime  that  was  adopted  by  the  Council  of  Europe,  which  went  into  effect  in 
2004;  however,  it  does  not  provide  a  comprehensive  structure  for  dealing  with  cyberattacks.  The  United  States 
is  the  only  non-European  nation  that  is  a  party  to  the  convention.  Notably,  despite  being  part  of  the  Council  of 
Europe,  Russia  never  entered  the  treaty;  neither  has  China.  See  Council  of  Europe,  Convention  on  Cybercrime, 
opened for  signature  Nov.  23,  2001, 41  I.L.M.  282  [hereinafter  Convention  on  Cybercrime]. 

See  Hollis,  supra  note  22,  at  1024-38. 

See  Lawrence  Greenberg  et  al..  Information  Warfare  and  International  Law  83-84  (1997); 
Walter  Gary  Sharp,  Sr.,  Cyberspace  and  the  Use  of  Force  8  n.  1 4  ( 1 999);  Sean  Condron,  Getting  it 
Right:  Protecting  American  Critical  Infrastructure  in  Cyberspace,  20  Harv.  J.L.  &  TECH.  404, 414-1 5  (2007); 
Daniel  Creekman,  A  Helpless  America?  An  Examination  of  the  Legal  Options  Available  to  the  United  States  in 
Responding  to  Varying  Types  of  Cyber-Attacks  from  China,  1 7  AM.  U.  iNT’L  L.  Rev.  64 1 ,  653-54  (2002); 
Yoram  Dinstein,  Computer  Network  Attacks  and  Self-Defense,  in  COMPUTER  NETWORK  Attack  and 
International  Law  99,  111  (Michael  N.  Schmitt  &  Brian  T.  O’Donnell  eds..  Naval  War  College  2002). 


6 


defenses  to  passive  defenses,  which  reduce  a  state’s  ability  to  stop  cyberattacks.  Second,  it 
forces  states  to  rely  on  criminal  laws  to  deter  cyberattacks,  which  are  ineffective  because 
several  major  states  are  unwilling  to  extradite  or  prosecute  their  attackers.  Given  these 
problems  with  the  prevailing  view,  states  will  undoubtedly  find  themselves  in  a  “response 
crisis”^^  during  a  cyberattack,  forced  to  decide  between  effective,  but  arguably  illegal,  active 
defenses,  and  the  less  effective,  but  legal,  path  of  passive  defenses  and  criminal  laws. 

The  current  legal  paradigm,  which  requires  attribution  to  a  state  or  its  agents,  perpetuates 
the  response  crisis  because  it  is  virtually  impossible  to  attribute  cyberattacks  during  an  attack. 
While  states  can  trace  cyberattacks  back  to  computer  servers  in  another  state,  conclusively 
ascertaining  the  identity  of  the  attacker  requires  intensive,  time-consuming  investigation, 
with  assistance  from  the  state  of  origin.^^  Given  the  prohibition  on  responding  with  force 
until  an  attack  has  been  attributed  to  a  state  or  its  agents,  coupled  with  the  fact  that  the  vast 


^  Active  defenses  are  one  of  the  most  effective  defenses  to  cyberattacks,  and  can  stop  them  in  situations  where 
passive  defenses  cannot.  See  Noah  Shachtman,  Air  Force  Aims  to  'Re-Write  Laws  of  Cyberspace WIRED 
News,  Nov.  3,  2008,  http://blog.wired.comydefense/2008/l  1/air-force-aims.html;  Crovitz,  supra  note  14,  at  17. 
Ideally,  states  would  defend  themselves  with  a  layered  defense  of  active  and  passive  defenses.  However,  states 
currently  confine  their  defenses  to  passive  defenses  because  active  defenses  cannot  be  legally  used  unless  force 
is  authorized  under  the  law  of  war.  See  Jensen,  supra  note  5,  at  23 1 . 

This  shall  be  discussed  later  in  this  section. 

“Response  crisis”  refers  to  the  dilemma  that  states  face  in  choosing  an  appropriate  response  to  a  cyberattack. 

Adding  pressure  to  the  response  crisis  is  that  delaying  the  use  of  active  defenses  will  increase  the  overall  risk 
to  a  state.  See  Lord:  Attack  Attribution,  Intent  are  Badly  Needed  Cyberwar  Capabilities,  29  INSIDE  THE  AIR 
Force,  No.  26,  June  27,  2008  (quoting  Major  General  William  Lord,  Commander  (Prospective),  Air  Force 
Cyber  Command);  see  also  Condron,  supra  note  24,  at  407-08  (noting  that  delaying  the  use  of  active  defenses, 
so  that  attacks  can  be  attributed,  can  result  in  lost  lives  and  massive  damage). 

See  Jensen,  supra  note  5,  at  232-35  (discussing  the  difficulty  of  attributing  cyberattacks  across  international 
borders);  Jason  Barkham,  Information  Warfare  and  International  Law  on  the  Use  of  Force,  34  N.Y.U.  J.  INT’L 
L.  &  Pol.  57, 97-99  (200 1 )  (noting  that  attributing  cyberattackers  cannot  be  done  without  extensive 
investigation,  in  which  access  to  the  originating  servers  is  granted  by  the  host-state’s  government). 


7 


majority  of  cyberattacks  are  conducted  by  non-state  actors, it  should  come  as  no  surprise 
that  states  treat  cyberattacks  as  a  criminal  matter.  This  “attribution  problem”  locks  states 
into  the  response  crisis. 

The  same  high-profile  cyberattacks  discussed  earlier  highlight  the  link  between  the 
attribution  problem  and  response  crisis.  In  2008,  Georgia  traced  the  cyberattacks  against  it 
back  to  Russia,  but  could  not  pin  them  on  its  govemment.^^  Similarly,  U.S.  officials  believed 
that  China  sponsored  the  2007  cyberattacks  against  the  Pentagon,  but  could  not  prove  the 
link.^'^  Following  a  familiar  pattern,  Estonia  traced  the  2007  attacks  on  it  back  to  Russia,  but 
could  not  tie  them  to  its  govemment.^^  Ultimately,  in  each  of  these  cases,  states  were  unable 
to  solve  the  attribution  problem,  which  legally  limited  them  from  using  active  defenses,  and 
forced  them  to  rely  on  passive  defenses  and  criminal  laws. 

Treating  cyberattacks  as  a  criminal  matter  would  not  be  problematic  if  passive  defenses 
and  criminal  laws  provided  sufficient  protection  from  cyberattacks.  Unfortunately,  neither  is 
adequate.  While  passive  defenses  are  always  the  first  line  of  defense  against  cyberattacks 

Jensen,  supra  note  5,  at  232. 

See  Condron,  supra  note  24,  at  407  (noting  the  United  States  treats  international  cyberattacks  as  a  criminal 
matter);  Hollis,  supra  note  22,  at  1050  (noting  that  Estonia  responded  to  the  2007  cyberattacks  from  Russia 
through  diplomatic  channels,  despite  their  belief  that  Russia  sponsored  the  attacks,  because  of  the  legal 
requirement  to  attribute  cyberattacks  before  treating  them  as  violations  of  the  law  of  war). 

“Attribution  problem”  refers  to  the  difficulty  of  ascertaining  the  identity  of  cyberattackers. 

”  Markoff,  supra  note  16,  at  Al.  Evidence  obtained  much  later  suggests  that  a  criminal  gang,  known  as  the 
Russian  Business  Network,  was  behind  the  cyberattacks  with  the  support  of  the  Russian  government.  Id.  See 
generally  Eneken  Tikk  et  al..  Cyber  Attacks  against  Georgia:  Legal  Lessons  Identified,  NATO  COOPERATIVE 
Cyber  Defense  Center  of  Excellence  (2008)  (providing  more  detailed  information  on  the  cyberattacks). 

Demetri  Sevastopulo,  Chinese  Hacked  into  Pentagon,  FiN.  TIMES  ONLINE,  Sept.  3,  2007,  http://www.ft.com/ 
cms/s/0/9dba9ba2-5a3b-l  ldc-9bcd-0000779fd2ac.html;  Demetri  Sevastopulo,  Beware:  Enemy  Attacks  in 
Cyberspace,  FlN.  TIMES  ONLINE,  Sept.  3, 2007,  http://www.ft.eom/cms/s/0/a89clc88-5a38-l  ldc-9bcd- 
0000779fd2ac.html. 

Landler  &  Markoff,  supra  note  19,  at  Al. 


8 


and  reduce  the  chances  of  a  successful  cyberattack, states  cannot  rely  on  them  to 
completely  secure  their  critical  information  systems.  Furthermore,  passive  defenses  do 
little  to  dissuade  attackers^*  from  attempting  their  attacks  in  the  first  place.^^  Deterrence 
comes  from  criminal  laws  and  the  penalties  associated  with  them.'*®  However,  when  states 
fail  to  pass  stringent  criminal  laws  or  look  the  other  way  when  attackers  strike  rival  states, 
criminal  laws  are  rendered  impotent.'” 


See  Lehtinen  et  al.,  Computer  Security  Basics  3-21  (2d  ed.  2006);  Colarik,  supra  note  6,  at  10. 

See  Colarik,  supra  note  6,  at  163. 

Up  to  this  point,  the  term  hacker  has  been  used  to  generically  refer  to  anyone  conducting  a  cyberattack. 
However,  from  here  on,  this  paper  will  either  use  the  more  appropriate  term  “attacker”  to  generally  refer  to 
individuals  who  conduct  cyberattacks,  or  one  of  the  more  specific  terms:  “hacker,”  “cracker,”  “cybercriminal” 
and  “cyberterrorist.”  Hackers  are  anyone  with  an  eagerness  to  experiment  with  computers  and  test  their  limits. 
Crackers  are  hackers  who  unlawfully  break  into  systems;  usually  for  the  thrill  of  it,  but  also  to  peek  at 
interesting  data  contained  in  the  systems  targeted.  Cybercriminals  are  crackers  who  go  one  step  further  and  use 
their  cyberattacks  to  steal  and  sell  data,  embezzle  money,  or  engage  in  extortion.  Cyberterrorists  employ 
cyberattacks  to  create  fear  or  violence  through  the  destruction  or  disruption  of  computer  systems,  as  a  means  of 
influencing  a  government  or  population  to  conform  to  a  particular  political  or  ideological  agenda.  See 
Lehtinen  et  al.,  supra  note  36,  at  16-17;  Colarik,  supra  note  6,  at  37-48. 

In  the  case  of  hackers  and  crackers,  beating  security  measures  is  often  seen  as  a  fun  challenge.  See  LEHTINEN 
ET  AL.,  supra  note  36,  at  16-17;  Frontline:  Hacker  Interviews,  http://www.pbs.org/wgbh/pages/frontline/shows/ 
hackers/interviews/  (last  visited  Mar.  22,  2009).  Furthermore,  the  more  secure  a  system  is,  the  more  difficult  it 
is  for  an  attacker  to  penetrate  the  system’s  defenses;  however,  defensive  measures  alone  pose  little  risk  to  the 
attacker.  While  defensive  measures  can  trace  attacks  back  to  their  source,  absent  stringent  criminal  laws  and 
vigorous  law  enforcement,  defensive  measures  cannot  harm  an  attacker.  See  COLARIK,  supra  note  6,  at  40-45. 

See  Colarik,  supra  note  6,  at  39. 

The  White  House,  the  National  Strategy  to  Secure  Cyberspace  8  (2003).  State  cooperation  is 
essential  to  the  criminal  prosecution  of  international  attackers.  Id.  However,  state  cooperation  relies  on  the 
goodwill  of  nations.  For  instance,  even  when  an  attacker  has  been  identified,  the  host-state  may  refuse  to 
prosecute  or  extradite  them  back  to  the  victim-state.  Such  obligations  only  arise  from  international  treaties  that 
set  forth  state  responsibilities.  See  Factor  v.  Laubenheimer,  290  U.S.  276,  287  (1933);  GREENBERG  ET  AL., 
supra  note  24,  at  69-72;  Kamal,  supra  note  22,  at  215-22. 

Obtaining  state  cooperation  often  requires  intense  diplomatic  activity,  which  presents  its  own  challenges  to 
relying  on  host-state  criminal  laws.  For  instance,  diplomatic  activity  is  usually  required  to  get  a  host-state  to 
prosecute  an  attacker  under  their  criminal  laws,  or  to  get  a  host-state  to  turn  over  an  attacker  so  that  he  can  be 
prosecuted  under  victim-state’s  criminal  laws;  neither  of  which  can  be  required  absent  a  treaty  requiring  such 
action.  It  is  worth  noting  that  the  United  States  does  not  have  extradition  treaties  with  China  or  Russia,  and  thus 
no  legal  right  exists  to  demand  the  extradition  from  those  states.  See  Creekman,  supra  note  24,  at  658. 


9 


Unfortunately,  several  major  states  refuse  to  take  part  in  international  efforts  to  eliminate 
cyberattacks  and  seem  unlikely  to  start  doing  so  in  the  near  future.''^  For  instance,  despite 
Chinese  and  Russian  pledges  to  crackdown  on  their  attackers,''^  no  one  has  been  brought  to 
justice  for  any  of  the  attacks  discussed.  China,  in  fact,  trains  its  hackers  to  bypass  computer 
defenses  at  its  military  academies.'*''  Furthermore,  security  experts  believe  that  China 
intentionally  ignores  the  criminal  acts  of  its  hackers,  buys  stolen  information  from  them,  and 
uses  them  to  spy  on  other  states."*^  Meanwhile,  Russia  has  rejected  numerous  Estonian 
requests  to  help  track  down  the  attackers  responsible  for  the  2007  cyberattacks  against  it.''® 
As  may  be  expected,  China  and  Russia  reject  these  accusations. Still,  all  of  this  suggests 
that  state  cooperation  is  offered  in  name  only,  that  these  states  are  sponsoring  cyberattacks, 
and  that  states  cannot  rely  on  criminal  to  eliminate  the  growing  cyberthreat.  The  foregoing 
discussion  illustrates  the  need  to  ascertain  what  states  may  legally  do  to  defend  themselves. 


See  Condron,  supra  note  24,  at  4 14. 

See  Richard  McGregor  &  Hugh  Williamson,  Beijing  Pledges  Crackdown  on  International  Hackers,  FiN. 
Times  Online,  Aug.  28,  2007,  http://www.ft.eom/cms/s/0/9b4cfc4e-54fe-l  ldc-890c-0000779fd2ac.html;  Iain 
Thomson,  Russia  Promises  Piracy  Crackdown,  Vnunet.COM,  Mar.  19, 2007,  http://www.vnunet.com/vnunet/ 
news/2185839/russia-promises-piracy  (reporting  Russia’s  pledge  to  crackdown  on  online  criminal  activity). 

^  See  generally  U.S.  -  CHINA  ECONOMIC  AND  SECURITY  REVIEW  COMMISSION,  2008  REPORT  TO  CONGRESS 
(2008),  available  at  http://www.uscc.gov  (describing  China’s  initiatives  to  augment  its  cyberwarfare  capabilities 
to  gain  an  advantage  over  the  United  States  in  any  future  conflict,  amid  other  economic  and  security  concerns). 

See  Bruce  Schneier,  Chinese  Cyber  Attacks,  July  14,  2008,  http://www.schneier.cormT3log/archives/2008/07/ 
chinese_cyber_a.html  (speculating  that  China  knows  its  leading  hackers,  intentionally  ignores  their  international 
crimes,  and  even  buy  stolen  intelligence  from  them). 

See  Hollis,  supra  note  22,  at  1026.  Lending  credence  to  Estonian  assertions  that  Russia  is  intentionally 
obstructing  the  criminal  investigation  into  the  cyberattacks  is  the  fact  that  the  Russian  public  has  hailed  the 
hackers  responsible  for  the  cyberattacks  against  Estonia  as  national  heroes.  See  Clifford  Levy,  What 's  Russian 
for  'Hacker'?,  N.Y.  TIMES,  Oct.  21,  2007,  at  Week  In  Review,  p.  1. 

Associated  Press,  China  Dismisses  U.S.  Espionage  Report  as  Misleading,  Nov.  22, 2008,  available  at  http:// 
www,google.com/hostednews/ap/article/ALeqM5jzzULJt2ZiW2IZR3KKuViEpbOAlQD94JTGS80;  Richard 
McGregor  &  Demetri  Sevastopulo,  China  Denies  Hacking  into  Pentagon,  FiN.  TIMES  ONLINE,  Sept.  4,  2007, 
http://www.ft.eom/cms/s/0/a625dbl6-54c4-l  ldc-890c-0000779fd2ac.html;  Hollis,  supra  note  22,  at  1026. 


10 


B.  The  Importance  of  Using  Active  Defenses 


The  way  to  escape  this  dilemma  is  for  states  to  use  active  defenses.  Not  only  will  active 
defenses  greatly  decrease  the  chance  of  a  successful  cyberattack,  but  it  logically  follows  that 
attackers  will  hesitate  to  attack  a  state  when  they  know  their  attacks  will  be  met  with  a 
forceful  response.  After  all,  “[mjaintaining  a  credible  ability  to  use  force,  in  cyberspace  and 
elsewhere,  is  ...  a  fundamentally  important  aspect  of  deterrence. But  can  states  legally 
act  in  this  manner?  And,  even  if  so,  is  this  the  best  way  to  address  the  cyberthreat? 

History  shows  that  states  will  take  matters  into  their  own  hands  when  legal  means  seem 
inadequate  to  protect  themselves  and  their  citizens.'*^  While  no  cyberattack  has  yet  risen  to  a 
level  where  a  state  felt  it  must  resort  to  force  to  defend  itself,  it  is  not  hard  to  imagine  a 
scenario  where  a  state  was  subject  to  a  cyberattack  so  severe  that  it  felt  an  armed  response 
was  required.  Given  the  ease  with  which  a  non-state  actor  could  trigger  such  a  scenario,  it  is 
imperative  for  international  law  to  provide  states  acceptable  legal  means  to  defend 
themselves.  When  international  law  provides  states  acceptable  legal  means  to  resolve  their 


Sharp,  Sr.,  supra  note  24,  at  1 35;  THOMAS  WINGFIELD,  THE  Law  of  INFORMATION  Conflict,  National 
Security  Law  IN  Cyberspace  361  (2000). 

This  happened  in  2008,  when  the  United  States  authorized  its  military  to  carry  out  air  and  ground  assaults 
against  A1  Qaeda  inside  other  states  without  the  approval  of  their  governments.  Since  then,  the  United  States 
conducted  raids  inside  Pakistan  and  Syria  against  their  wishes.  The  United  States  justified  its  actions  as  self- 
defense  due  to  those  states’  inability  or  unwillingness  to  handle  the  terrorists,  despite  evidence  that  Pakistan  and 
Syria  were  cooperating  and  having  some  success  with  their  counter-terrorism  efforts.  See  Eric  Schmitt  &  Mark 
Mazzetti,  Bush  Said  to  Give  Orders  Allowing  Raids  in  Pakistan,  N.Y.  TIMES,  Sept.  1 1 , 2008,  at  A1 ;  Jane  Perlez, 
Pakistan's  Military  Chief  Criticizes  U.S.  Over  a  Raid,  N.Y.  TIMES,  Sept.  1 1, 2008,  at  A8;  Eric  Schmitt  &  Thom 
Shanker,  Officials  Say  U.S.  Killed  an  Iraqi  in  Raid  in  Syria,  N.Y.  TIMES,  Oct.  28, 2008,  at  A1 ;  Eric  Schmitt  & 
Mark  Mazzetti,  Secret  Order  Lets  U.S.  Raid  Al  Qaeda,  N.Y.  Times,  Nov.  1 0,  2008,  at  A 1 ;  Ismail  Khan  &  Jane 
Perlez,  Airstrike  Kills  Militant  Tied  to  Al  Qaeda  in  Pakistan,  N.Y.  TIMES,  Nov.  23, 2008,  at  AlO. 

When  states  take  matters  into  their  own  hands,  they  tend  to  justify  their  actions  under  the  mantle  of  law,  even 
when  they  fail  to  meet  the  accepted  legal  threshold.  This  is  done  as  a  tactical  measure  to  secure  the  broadest 
possible  support  for  their  actions.  Though  at  times,  the  states  actually  believe  their  actions  are  legal.  Sean 
Murphy,  The  Doctrine  of  Preemptive  Self-Defense,  50  ViLL.  L.  Rev.  699, 727-3 1  (2005). 


11 


disputes,  states  are  more  likely  to  behave  in  predictable  ways  that  are  accepted  by  the 
international  community.^®  Thus,  unless  the  international  community  wants  to  risk  states 
responding  to  cyberattacks  in  unpredictable  and  potentially  unacceptable  ways,  international 
law  must  adapt  to  provide  states  with  legal  means  to  effectively  defend  themselves. 

This  is  not  a  new  thought.  There  is  a  growing  recognition  among  legal  scholars  that  the 
current  legal  regime  leaves  states  vulnerable  to  cyberattacks  and  needs  to  change.^' 
However,  despite  their  recognition  of  the  problem,  no  consensus  has  emerged  on  the  best 
way  to  solve  it.  Some  scholars  advocate  new  treaties  to  get  past  this  legal  shortcoming.  For 
example,  one  proposal  calls  for  a  treaty  requiring  states  to  rebuild  the  Internet’s  architecture 
in  a  more  secure  manner,  so  that  law  enforcement  can  easily  track  attackers.  Another 
proposal  calls  for  a  comprehensive  international  treaty  to  regulate  cyber  attacks.*^  Other 
scholars  advocate  changing  the  law  of  war  to  allow  states  to  respond  to  cyberattacks  with 
active  defenses  without  having  to  attribute  cyberattacks  to  a  state.  Thus,  one  scholar 
proposed  exempting  states  from  having  to  attribute  attacks  against  their  critical 
infrastructure.^'*  Another  proposed  that  attributing  attacks  is  unnecessary  because  states  can 
legally  respond  to  attacks  by  non-state  actors  with  force  under  customary  international  law 


See  Murphy,  supra  note  49,  at  704-05. 

Garnett  &  Clarke,  supra  note  1 3,  at  488;  GREENBERG  ET  AL.,  supra  note  24,  at  99-1 00;  Kamal,  supra  note 
22,  at  83-84;  Davis  Brown,  A  Proposal  for  an  International  Convention  to  Regulate  the  Use  of  Information 
Systems  in  Armed  Conflict,  47  Hakv.  Int’L  L.J.  179, 181-83  (2006);  Condron,  supra  note  24,  at  4 15-1 6;  Hollis, 
supra  note  22,  at  1023. 

See  generally  LAWRENCE  Lessig,  CODE;  VERSION  2.0  (2006). 

See  generally  Brown,  supra  note  5 1 ,  at  1 79. 

See  Jensen,  supra  note  5,  at  236-37;  Condron,  supra  note  24,  at  415-22. 


12 


(CIL).^^  While  these  approaches  are  all  preferable  to  the  current  legal  paradigm,  there  are 
shortcomings  with  each  of  them,  which  this  paper  will  address. 

The  legal  authority  for  states  to  use  active  defenses  flows  from  states’  duty  to  prevent 
non-state  actors  within  their  borders  from  committing  cross-border  attacks.  “It  is  a  long 
established  principle  of  international  law  that  ‘a  State  is  bound  to  use  due  diligence  to 
prevent  the  commission  within  its  dominions  of  criminal  acts  against  another  state  or  its 
people.’”^’  Traditionally,  this  duty  only  required  states  to  prevent  illegal  acts  that  the  state 
knew  about  beforehand;  however,  this  duty  has  evolved  in  response  to  international  terrorism 

f  o 

to  require  states  to  act  against  groups  generally  known  to  carry  out  illegal  acts.  In  the  realm 
of  cyberwarfare,  states  must  take  this  duty  one  step  further  and  require  each  other  to  enact 
and  criminal  laws  against  cyberattacks  as  the  only  way  to  truly  prevent  cross-border 
cyberattacks.  Otherwise,  the  current  situation  that  states  face  with  China  and  Russia  will 
continue  to  exist.  While  no  international  treaty  affirmatively  obligates  a  state  to  hunt  down 
attackers  within  their  borders,  such  as  with  piracy, reinterpreting  the  duty  of  prevention  to 


”  See  Barkham,  supra  note  29,  at  104;  Michael  Schmitt,  Computer  Network  Attack  and  the  Use  of  Force  in 
International  Law:  Thoughts  on  a  Normative  Framework,  37  COLUM.  J.  TranSNAT’L  L.  885, 933-34  ( 1 999). 
This  proposal  would  allow  states  to  use  active  defenses  regardless  of  who  is  conducting  the  cyberattack. 

See  infra  note  168  and  accompanying  text  (discussing  the  shortcomings  of  treaty  based  solutions);  infra  note 
377  and  accompanying  text  (discussing  the  shortcomings  of  the  current  proposals  to  change  the  law  of  war). 

”  Michael  Schmitt,  Preemptive  Strategies  in  International  Law,  24  MiCH.  J.  INT’L  L.  513,  540-41  (2003) 
(quoting  S.S.  Lotus  (Fr.  V.  Turk.),  1927  P.C.I.J.  (ser.  A)  No.  10,  at  88  (Sept.  7,  1927)  (Moore,  J.,  dissenting), 
and  referring  to  numerous  state  pronouncements  to  that  effect  with  regard  to  international  terrorism). 

See  infra  Part  V.B  (discussing  the  traditional  and  contemporary  views  of  a  state’s  duty  to  prevent  non-state 
actors  within  their  borders  from  committing  cross-border  criminal  acts). 

”  See  U.S.  DEP’T  OF  THE  NAVY,  N  WP  1  - 1 4M,  THE  COMMANDER’S  HANDBOOK  ON  THE  LAW  OF  NaVAL 
Operations  §  3.5  (2007)  [hereinafter  Commander’s  Handbook]  (referencing  international  law’s  longstanding 
obligation  for  states  to  repress  piracy;  and  quoting  the  1958  Geneva  Convention  on  the  High  Seas  and  the  1982 
Law  of  the  Sea  Convention). 


13 


require  states  to  hunt  down  attackers  will  solve  the  attribution  problem  and  response  crisis. 
Once  this  duty  is  reinterpreted,  international  law  allows  victim-states  to  impute  state 
responsibility  to  host-states  that  neglected  this  duty,  and  respond  in  self-defense.^°  In  effect, 
repeated  failure  by  a  state  to  take  criminal  action  against  its  attackers  will  result  in  it  being 
declared  a  sanctuary  state,  allowing  victim-states  to  use  active  defenses  against  cyberattacks 
originating  from  within  its  borders. 

Selectively  targeting  sanctuary  states  with  active  defenses  will  likely  also  provide  the 
added  benefit  of  getting  sanctuary  states  to  start  taking  cyberattacks  seriously  as  a  criminal 
matter.  Since  no  state  wants  another  state  acting  within  its  borders,  even  electronically,  this 
reinterpreted  duty  will  motivate  states  to  hunt  down  attackers  within  their  borders  and  work 
with  victim-states  to  bring  attackers  to  justice.  States  who  wish  to  avoid  being  the  targets  of 
active  defenses  can  easily  do  so;  all  they  have  to  do  is  pass  stringent  criminal  laws,  conduct 
vigorous  and  transparent  criminal  investigations,  and  prosecute  attackers.^' 

III.  Examining  Cyberattacks 

Effective  regulation  requires  an  understanding  of  the  conduct  it  seeks  to  regulate. 
Attempting  to  regulate  a  subject  without  understanding  it  can  easily  lead  to  ineffective 
regulations  that  fail  to  accomplish  their  intended  purpose.  This  paper  shall,  therefore, 
examine  cyberattacks,  their  potential  impact,  and  the  defenses  against  them,  as  a  precursor  to 
exploring  the  legal  regime  governing  them. 

“  See  infra  Part  V-VI. 

See  infra  Part  VI.B-C. 


14 


A.  Types  of  Cyberattacks 


Cyberattacks  come  in  many  different  forms.  To  generalize,  there  are  three  main 
categories  of  cyberattacks.^^  The  first  category  is  automated  malicious  software  delivered 
over  the  Intemet.^^  The  second  category  is  denial-of-service  (DOS)  attacks. The  third 
category  is  unauthorized  remote  intrusions  into  computer  systems  by  individuals.^^ 

Before  considering  these  three,  it  is  worth  noting  that  cyberattacks  can  originate  locally 
rather  than  remotely  over  the  Internet.  For  instance,  malicious  software  may  be  locally 
loaded  onto  a  system  via  a  storage  device,  such  as  a  thumb  drive  or  computer  disc,  and 
unauthorized  intrusions  may  originate  at  a  physical  terminal  connected  to  a  computer 
network.  However,  while  computer  systems  are  more  vulnerable  to  internal  penetration  at 
their  physical  location,  this  paper  is  focused  on  external  cyberattacks  conducted  via  the 
Internet  across  international  borders. 


Cyberattacks  can  be  categorized  in  different  ways.  It  is  this  author’s  opinion  that  there  are  three  main 
categories  of  cyberattacks.  However,  other  authors  categorize  cyberattacks  into  as  little  as  two  or  as  many  as 
four  main  categories.  See  Lehtinen  ET  al.,  supra  note  36,  at  79-95, 1 12-133  (categorizing  cyberattacks  into 
viruses  and  Internet  vulnerabilities);  COLARIK,  iwpra  note  6,  at  84  (categorizing  cyberattacks  into  viruses, 
denial-of-service  attacks,  web  defacements  and  unauthorized  penetration). 

See  COLARIK,  supra  note  6,  at  84. 

""  See  id 

See  id. 

^  Internal  penetrations  are  a  serious  issue  despite  not  being  the  focus  of  this  paper.  Authorized  users,  also 
known  as  insiders,  have  greater  access  to  computer  systems  than  unauthorized  users.  This  access  makes  it  easy 
for  them  to  load  malicious  code  onto  a  system,  or  to  do  something  beyond  their  authorization.  See  COLARiK, 
supra  note  6,  at  85-86.  Internal  penetrations  can  be  inadvertent  or  intentional.  In  the  case  of  an  inadvertent 
penetration,  a  user  might  connect  an  infected  storage  device  to  a  computer  network,  which  then  executes  its 
code  to  the  detriment  of  the  system.  In  the  case  of  an  intentional  penetration,  a  user  could  simply  use  their 
access  to  conduct  harmful  acts  within  their  access  rights,  or  attempt  to  use  their  limited  access  to  try  to  gain 
greater  access  to  the  system  and  then  conduct  harmful  acts.  See  Lehtinen  ET  AL.,  supra  note  36,  at  96-1 1 1 . 
However  despite  being  a  cyberattack  of  sorts,  internal  penetrations  should  fall  under  domestic  law,  as  the 
cyberattack  occurs  as  a  result  of  a  physical  act  at  the  location  of  the  computer  networks.  This  puts  internal 
penetrations  squarely  in  the  domestic  jurisdiction  of  the  state  in  question.  Absent  an  intentional  act  by  a 


15 


Malicious  code  or  malware,  as  it  is  known  inside  computer  circles,  usually  infects 
computer  systems  through  infected  e-mails,  vulnerability  exploit  engines  or  visits  to  infected 
websites.  Early  malware  fell  into  two  main  classifications,  viruses  and  worms.  Viruses 
are  code  fragments  that  copy  themselves  into  larger  programs,  modifying  those  programs  to 
carry  out  functions  other  than  those  originally  intended.^^  The  virus  is  dependent  on  the  main 
program,  and  cannot  execute  until  the  main  program  is  run.  Once  the  mam  program  is  run, 
viruses  load  themselves  into  the  memory  of  the  computer  system  and  execute  their  code.^* 

A  virus  then  replicates  itself,  infecting  other  programs  and  files.  After  it  finishes 
reproducing,  it  carries  out  whatever  dirty  work  is  in  its  programming,  called  delivering  a 
payload.  Worms  are  self-sustaining  independent  programs  that  reproduce  themselves  by 
copying  themselves  in  full-blown  fashion  from  one  computer  to  another  via  a  network  or  the 
Internet.’'*  Worms  can  spread  rapidly  from  system  to  system,  copying  themselves  to  any 


member  of  a  transnational  terrorist  organization,  who  happens  to  have  gained  local  access  to  a  computer  system, 
there  is  no  international  character  to  the  penetration.  In  the  case  that  such  an  act  is  committed  by  a  transnational 
terrorist,  some  of  the  concepts  discussed  in  this  paper  may  be  appropriate  for  analogy. 

LEHTINEN  ET  AL.,  supra  note  36,  at  79;  COLARIK,  supra  note  6,  at  84. 

LEHTINEN  ET  AL.,  supra  note  36,  at  80.  These  definitions  were  derived  from  the  methods  the  programs  used  to 
carry  out  an  attack.  Id. 

Id.  at  81-82. 

LEHTINEN  ET  AL.,  supra  note  36,  at  82;  COLARIK,  supra  note  6,  at  91 . 

LEHTINEN  ET  AL.,  supra  note  36,  at  82;  COLARIK,  supra  note  6,  at  91-92. 

LEHTINEN  ET  AL.,  supra  note  36,  at  82. 

’’Ud  at  85. 


16 


computer  systems  connected  to  the  infected  computer  and  if  programmed  to  do  so,  delivering 
their  payload  on  the  new  system  after  replicating  themselves/^ 

As  computer  programs  became  more  sophisticated,  classifying  malware  by  their  attack 
method  failed  to  adequately  describe  the  diverse  nature  of  viruses  and  worms/®  As  a  result, 
these  categories  were  further  defined  by  their  function/^  The  most  common  subdivisions  of 
viruses  and  worms  are  Trojan  horses,  rootkits,  sniffers,  exploits,  bombs  and  zombies. 
Attackers  may  choose  a  single  one  of  these  programs  or  use  them  in  conjunction  with  each 
other.’^  Additionally,  attackers  may  also  use  malware  in  conjunction  with  DOS  attacks  and 
imauthorized  remote  intrusions. 


”  Lehtinen  ET  AL.,  supra  note  36,  at  85;  COLARIK,  supra  note  6,  at  92. 

Lehtinen  ET  AL.,  supra  note  36,  at  80. 

^^Id. 

Lehtinen  ET  AL.,  supra  note  36,  at  80-81.  Trojan  horses  trick  a  user  into  running  a  program  that  appears  to 
be  beneficial,  but  actually  has  a  code  fragment  hidden  inside  the  program,  which  performs  a  disguised  function. 
Id.  at  87.  Rootkits  install  new  accounts  on  a  computer  system  or  steal  existing  account  information,  and  then 
elevate  the  security  level  of  those  accounts  to  the  highest  degree  so  that  the  attacker  can  later  enter  at  will 
without  obstruction.  Id.  at  81,  87.  Sniffers  monitor  the  keystrokes  of  authorized  users  and  send  the  stolen 
information  back  to  a  storage  facility  for  later  access  by  the  program  designer.  Id.  at  81 ,  88.  Exploits  are 
programs  that  capitalize  on  known  or  undiscovered  system  vulnerabilities,  such  as  weaknesses  in  a  piece  of 
software  or  the  operating  system,  to  gain  access  to  the  system  and  execute  their  program.  Id.  at  81,  87.  Exploits 
may  also  capitalize  on  system  vulnerabilities  created  through  poor  security  practices  and  procedures,  in  addition 
to  those  created  by  technical  errors.  See  Wilson,  supra  note  15,  at  CRS-25.  Bombs  are  programs  that  destroy 
data  by  reformatting  the  hard  disc  or  inserting  corrupted  files  by  inserting  random  data  into  them.  U.S.  ARMY 
Training  and  Doctrine  Command,  DCSINT  Handbook  No.  1-02,  Critical  Infrastructure  Threats 
AND  Terrorism  VII-7  (2006)  [hereinafter  Critical  Infrastructure  Threats].  Bombs  can  execute 
immediately  after  being  loaded  onto  a  system  or  be  delayed  to  go  off  at  a  later  date.  LEHTINEN  ET  AL.,  supra 
note  36,  at  88.  Time  bombs  can  be  set  to  go  off  at  a  specific  time;  logic  bombs  can  be  set  to  go  off  after  a 
particular  event  occurs.  Id.  at  88.  Zombies  are  malware  that  entrenches  itself  inside  a  computer  system  and 
then  lays  low  until  its  master  triggers  it  into  action.  Id.  at  81,  83. 

’’  See  Lehtinen  ET  AL.,  supra  note  36,  at  79-95.  For  example,  an  attacker  may  use  a  Trojan  horse  to  deliver  a 
rootkit  or  sniffer,  or  may  use  an  exploit  to  implant  a  zombie. 


17 


Denial-of-service  (DOS)  attacks  use  the  communication  protocols  that  allow  computers  to 
communicate  with  one  another  against  them,  overwhelming  the  targeted  computer  system 
with  information  until  it  seizes  up  and  ceases  to  function.  This  effectively  denies  the 
availability  of  the  targeted  system  to  legitimate  users.  Denial-of-service  attacks  can  use 
malformed  packets  to  overwhelm  a  system’s  processors,  or  flood  the  processor  with  so  many 
data  requests  that  it  overwhelms  the  system  itself  or  its  supporting  network  bandwidth.  The 
most  severe  form  of  DOS  attack  is  a  distributed-denial-of-service  (DDOS)  attack.*'* 
Distributed-denial-of-service  attacks  are  DOS  attacks  launched  simultaneously  from 
numerous  computers.*^  The  sheer  volume  of  a  DDOS  attack  makes  it  extremely  difficult  to 
defend  against.  In  addition  to  being  able  to  cripple  computer  systems  attached  to  the 


*'  See  LehTINEN  ET  AL.,  supra  note  36,  at  8 1 ;  COLARIK,  supra  note  6,  at  84,  103. 

LehTINEN  ET  AL.,  supra  note  36,  at  12. 

See  COLARIK,  supra  note  6,  at  103. 

See  id. 

LEHTINEN  ET  AL.,  supra  note  36,  at  8 1 .  DDOS  attacks  are  usually  launched  from  zombies,  which  attackers 
hijack  ahead  of  time.  These  virtual  networks  of  zombies  all  being  directed  at  once  for  a  single  nefarious 
purpose  are  known  as  Botnets.  It  is  not  unheard  of  to  have  several  hundred  thousand  zombies,  or  Dots, 
harnessed  at  once  to  unleash  one  coordinated  massive  attack.  Botnets  can  be  used  to  deliver  malicious  code, 
gather  information  or  conduct  DDOS  attacks.  See  Wilson,  supra  note  15,  at  CRS-5  to  CRS-7. 

An  interesting  evolution  of  DDOS  attacks  occurred  in  2007  with  the  “e-Jihad”  computer  program.  e-Jihad  let 
computer  owners  freely  give  control  of  their  system  to  the  creators  of  e-Jihad,  who  agreed  to  use  their 
computers  to  attack  anti-lslamic  entities.  e-Jihad  would  coordinate  the  attacks  of  the  freely  lent  computers, 
effectively  turning  them  into  a  network  of  zombies,  and  report  back  to  the  owners  on  the  success  rates  of  the 
attacks.  e-Jihad  has  since  been  shut  down,  but  there  will  inevitably  be  similar  programs  in  the  future.  See  Larry 
Greenemeier,  ‘Electronic  Jihad’  App  Offers  Cyberterrorism  for  the  Masses,  InF0RMATI0NWEEK.COM,  July  2, 
2007,  http://www.infonnationweek.corn/news/lntemet/showArticle.jhtml?articleID=200001943. 

**  See  COLARIK,  supra  note  6,  at  103. 


18 


Internet,  DOS  attacks  can  overwhelm  system  defenses,  such  as  knocking  down  a  firewall,  so 

R7 

that  the  system  becomes  vulnerable  to  other  forms  of  attack. 

Unauthorized  remote  intrusions  are  external  penetrations  of  a  computer  system  by  an 
attacker.**  They  occur  at  user  access  points  and  require  user  account  names  and  passwords.*^ 
Attackers  usually  use  malware  to  infect  computer  systems  to  acquire  such  information  or  to 
create  fake  user  accounts  on  target  systems.  However,  attackers  also  use  social  engineering, 
packet  sniffers  and  password  cracking  to  acquire  user  account  information.^'*  Once  an 
attacker  gains  access  to  a  system,  the  attacker  can  do  a  variety  of  harmful  things  with  or  to 
the  system,  including  “caus[ing]  people  or  processes  to  act  on  the  changed  data  in  a  way  that 
causes  a  cascading  series  of  damages  in  the  physical  and  electronic  world. 

B.  Potential  Impact  of  Cyberattacks 


COLARIK,  supra  note  6,  at  103.  Web-based  attacks,  such  as  a  DOS  attack,  can  be  used  to  cause  a  buffer 
overflow  in  the  memory  of  the  targeted  computer.  Buffer  overflows  of  the  computer’s  stack,  the  part  of 
memory  used  for  temporary  variable  storage,  can  cause  the  computer  to  write  the  overflow  of  data  to  the 
computer’s  heap,  the  segment  of  memory  that  stores  code  waiting  for  execution.  This  is  called  “smashing  the 
stack.”  Smashing  the  stack  allows  attackers  to  implant  executable  programs  into  the  targeted  computer  to  gain 
further  access.  Imagine  a  rootkit  being  implanted  this  way.  See  LEHTINEN  ET  AL.,  supra  note  36,  at  1 31-32. 

**  See  COLARiK,  supra  note  6,  at  94. 

See  id.  at  97. 

See  COLARIK,  supra  note  6,  at  97-98.  Social  engineering  tricks  users  into  giving  away  their  account 
information.  This  often  happens  when  attackers  impersonate  company  employees  or  system  administrators  over 
the  phone.  Id.  at  94.  Packet  sniffers  capture  user  data  being  transmitted  to/ffom  a  system.  Id.  at  97-98. 
Password  cracking  comes  in  two  forms,  brute  force  and  dictionary  attacks.  Brute  force  attacks  guess  passwords 
“by  trying  every  possible  combination  of  characters,  one  attempt  at  a  time.”  Dictionary  attacks  guess  passwords 
by  using  commonly  used  words  or  variations  thereof.  Dictionary  attacks  are  often  aided  by  advance 
reconnaissance,  as  many  people  pick  easy  passwords,  such  as  their  initials  or  children’s  names.  LEHTINEN  ET 
AL.,  supra  note  36,  at  6 1 . 

COLARIK,  supra  note  6,  at  84. 


19 


Q9 

The  Internet’s  open  architecture  makes  it  “ideally  suited  for  asymmetrical  warfare.” 
Cyberattacks  “can  be  used  by  both  states  and  non-state  actors  to  anonymously  pry  into  a 
state’s  public,  sensitive  and  classified  computers  ...  to  manipulate  data;  to  deceive  decision 
makers;  to  influence  public  opinion;  and  even  to  cause  physical  destruction  from  remote 
locations  abroad.”^^  Cyberattacks  overcome  the  requirement  for  conventional  military 
forces,  allowing  attackers  who  understand  computer  systems  to  inflict  damage  on  another 
state,  anonymously  and  for  minimal  cost,  from  the  other  side  of  the  globe.^'* 

Attackers  can  direct  cyberattacks  at  any  computer  system  connected  to  the  Internet; 
however,  the  most  dangerous  attacks  are  those  against  critical  national  infrastructure  (CNI).^^ 
CNI  systems  are  so  essential  to  a  state’s  well-being  that  states  have  sworn  to  protect  them 
regardless  of  whether  the  systems  are  civilian  or  governmental.^^  While  there  is  no  inclusive 
list  of  CNI,  a  functional  analysis  of  the  role  that  computers  play  in  key  resource  sectors 
shows  that  computer  systems  form  the  backbone  of  almost  every  nationally  significant 
sector,  including:  banking  and  finance,  communications,  energy,  emergency  services. 


Wingfield,  supra  note  48,  at  2 1 . 

”  W.  at  2 1-22. 

See  id.  at  22. 

See  Timothy  Shimeall  et  al.,  Countering  Cyber  War,  49  NATO  Rev.  16,  17-18  (Winter  2001/2002), 
available  at  http;//www.nato.int/docu/rev-pcif/eng/0104-en.pdf  (noting  cyberattacks  on  CNI  would  likely  result 
in  significant  loss  of  life,  and  economic  and  social  degradation).  While  cyberattacks  against  CNI  are  the  most 
dangerous  form  of  cyberattack,  lesser  attacks  are  still  destructive.  For  instance,  the  FBI  recently  estimated  that 
cybercrime,  a  subset  of  cyberattacks,  causes  an  average  financial  loss  of  $167,713  per  attack,  and  as  a  whole  has 
caused  over  $400  billion  in  damages  in  the  United  States.  WILSON,  supra  note  15,  at  CRS-27  to  CRS-29. 

^  See  Homeland  Security  Presidential  Directive  7:  Critical  Infrastructure  Identification,  Prioritization  and 
Protection  (2003);  Condron,  supra  note  24,  at  404-07;  Jensen,  supra  note  5,  at  226-28;  JOHN  MOTEFF,  CONG. 
Research  Serv.  Report,  Critical  Infrastructures:  Background,  Policy,  and  Implementation,  RL 
30153,  at  CRS-3  to  CRS-13  (2008). 


20 


07 

government,  transportation,  and  water  supply.  Cyberattacks  against  these  sectors  can 
intimidate  populations,  damage  an  economy,  and  even  injure  or  kill.  Furthermore, 
cyberattacks  provide  terrorists  a  way  to  increase  the  destructive  impact  of  physical  attacks. 

In  essence,  cyberattacks  are  just  another  tool  for  a  state’s  enemies  to  use  against  it. 

Cyberattacks  can  terrorize  a  population,  just  like  normal  terrorist  attacks.  The  National 
Security  Agency  has  demonstrated  that  cyberattacks  can  disrupt  operations  at  major  military 
commands,  cause  large-scale  blackouts,  and  interrupt  phone  service  across  the  United 
States.  Furthermore,  much  of  the  United  States’  CNI  is  controlled  by  Supervisory  Control 
and  Data  Acquisition  (SCAD A)  systems,  which  are  particularly  vulnerable  to  cyberattacks. 
When  cyberattacks  shut  down  these  systems,  people,  businesses  and  government  can  be 
deprived  of  basic  services,  which  can  cause  panic  in  a  populace,  effectively  turning  these 
cyberattacks  into  a  means  of  scaring  a  population,  potentially  for  political  ends.’°^  Another 


’’  See  generally  Department  of  Homeland  Security,  Critical  Infrastructure  and  Key  Resources, 
http://www.dhs.gov/xprevprot/programs/gc_l  189168948944.shtm  (last  visited  Mar.  22,  2009)  (detailing  the 
different  sectors  of  critical  national  infrastructure  and  explaining  their  interrelations). 

See  COLARIK,  supra  note  6,  at  1 5-28  (2006). 

^  See  COLARIK,  supra  note  6,  at  51-52;  WILSON,  supra  note  1 5,  at  CRS-2 1 . 

See  Wingfield,  supra  note  48,  at  24-25  (discussing  the  1997  Eligible  Receiver  military  exercise). 

Wilson,  supra  note  15,  at  CRS-2 1  to  CRS-23.  SCADA  systems  are  often  remotely  located  and  unmanned, 
but  still  connected  to  the  Internet  to  perform  their  command  and  control  functions.  Id.  They  are  used  to 
manage  public  and  private  utilities,  and  much  of  the  communications  infrastructure.  COLARIK,  supra  note  6,  at 
122. 

See  COLARiK,  supra  note  6,  at  19-20,  118-24  (2006).  The  vulnerability  of  SCADA  systems  has  been 
demonstrated  many  times.  In  2003,  the  “Slammer”  worm  shut  down  the  control  systems  of  an  Ohio  nuclear 
power  plant.  Wilson,  supra  note  1 5,  at  CRS-22.  Also  in  2003,  the  “Blaster”  worm  interrupted  the  warning 
systems  of  the  northeastern  power  grid  and  contributed  to  the  2003  blackout  across  the  eastern  United  States. 

Id.  at  CRS-23.  In  2007,  the  Aurora  Generator  Test  conducted  by  Idaho  National  Laboratories  demonstrated  that 
coordinated  cyberattacks  can  overheat  and  shut  down  power  turbine  generators.  Id.  at  CRS-19  to  CRS-20. 
Furthermore,  security  experts  believe  that  Chinese  cyberattacks  contributed  to  two  blackouts  in  the  United 
States.  The  first  was  the  northeastern  blackout  in  2003;  the  second  was  the  Daytona  Beach  and  Monroe  County, 
Florida  blackout  in  February  2008.  Shane  Harris,  China's  Cyber-Militia,  Nat’L  J.,  May  31,  2008,  cover  story. 


21 


vulnerability  of  corporate,  government,  and  military  critical  systems  is  their  frequent  reliance 
on  Commercial-Off-The-Shelf  (COTS)  hardware  and  software. Systems  relying  on  COTS 
products  are  more  vulnerable  to  penetration  than  specially  designed  systems,  making  them 
easier  to  exploit,  more  susceptible  to  damage,  and  thus  more  likely  to  lead  to  harm  to  a  state 
and  its  citizens.'^  Intimidating  populations  with  cyberattacks  is  just  another  way  for 
terrorists  to  sow  fear. 

The  potential  economic  consequences  of  cyberattacks  are  just  as  profound.  Cyberattacks 
have  the  potential  to  cripple  a  state’s  commercial  infrastructure,  such  as  a  stock  exchange, 
and  bring  the  state’s  economy  to  its  knees. Cyberattacks  on  the  underlying  economic 
infrastructure  of  a  state  are  an  attractive  method  of  warfare  for  terrorists  because  so  much  of 
a  state’s  economy  is  facilitated  by  telecommunications  and  computer  systems.'®^  Successful 
terrorist  attacks  on  banking  and  finance  CNI  have  the  potential  to  undermine  confidence  in  a 
state’s  economic  infrastructure,  and  increase  the  costs  of  doing  business  to  the  point  that 
doing  such  business  becomes  commercially  infeasible. At  a  time  when  tens  of  trillions  of 
dollars  are  held  by  international  banks,  worldwide  annual  credit  card  purchases  nearly  reach 


Wilson,  supra  note  15,  at  CRS-23  to  CRS-24;  COLARIK,  supra  note  6,  at  130. 

Wilson,  supra  note  15,  at  CRS-24.  Government  use  of  COTS  systems  have  already  resulted  in  the 
infiltration  of  top-secret  computer  systems  on  more  than  one  occasion.  Id. 

Wingfield,  supra  note  48,  at  24-25;  COLARIK,  supra  note  6,  at  139. 

See  COLARIK,  supra  note  6,  at  124-28. 

See  id.  at  22. 


22 


$2  trillion,  and  online  sales  in  the  United  States  already  amount  to  hundreds  of  billions  per 

1 08 

annum,  cyberattacks  provide  an  extremely  attractive  attack  method  for  a  state’s  enemies. 

Cyberattacks  also  have  the  potential  to  injure  or  kill,  either  directly  or  indirectly.'®^ 
Cyberattacks  directed  against  the  transportation  sector,  for  example,  could  crash  airplanes,"® 
or  cause  trains  to  collide.'"  The  transportation  sector  relies  heavily  on  SC  AD  A  and  COTS 
systems,  and  has  already  proven  vulnerable  to  cyberattacks.  Cyberattacks  could  also  be 
directed  against  dams,  causing  floodgates  to  open,"^  or  chemical,  nuclear  and  liquid  natural 
gas  plant  control  systems,  which  could  easily  lead  to  widespread  physical  damage  or 
death."''  To  illustrate  these  points,  in  2000  a  cyberattack  took  control  of  a  sewage  plant  in 
Maroochy  Shire,  Australia,  and  dumped  264,000  gallons  of  untreated  sewage  into  the  local 
environment."^  Cyberattacks  could  also  directly  target  medical  systems,  altering  critical 
medical  information,  such  as  blood  types,  immunization  histories,  allergies,  or  other  critical 


See  COLARIK,  supra  note  6,  at  124-28  (reviewing  commerce  over  the  Internet);  WILSON,  supra  note  15,  at 
CRS-21  (referencing  Chinese  military  journals,  which  claim  the  ability  to  bringdown  U.S.  financial  markets 
with  cyberattacks);  U.S.  Census  Bureau,  The  2009  Statistical  Abstract:  Online  Retail  Sales,  http://www.census. 
gov/compendia/statab/cats/ wholesale_retail_trade/online_retail_sales.html  (recording  $128.1  billion  in  online 
sales  in  2007  and  projecting  online  sales  to  rise  to  $147.6  billion  in  2008,  in  the  Online  Retail  Spending  report), 

See  Critical  Infrastructure  Threats,  supra  note  78,  at  VII-7. 

''®  See  COLARIK,  supra  note  6,  at  128-30. 

See  Critical  Infrastructure  Threats,  supra  note  78,  at  VII- 1  (noting  the  railroad  signal  and  switching 
system  could  be  manipulated  to  cause  trains  to  crash  into  each  other). 

While  no  one  was  hurt  when  it  happened,  hackers  have  previously  taken  over  and  shut  off  a  regional 
airport’s  control  tower  and  runway  lights.  COLARIK,  jupra  note  6,  at  130. 

See  Wilson,  supra  note  15,  at  CRS-21. 

Shea,  supra  note  13,  at  CRS-8. 

Id.  at  CRS-7. 


23 


data."^  “The  modification  of  such  details  could  cause  the  medical  practitioners  to  diagnose  a 

117 

course  of  treatment  that  could  be  fatal  to  the  patient.” 

The  scenario  that  concerns  experts  the  most,  however,  is  the  use  of  cyberattacks  against 
electronic  emergency  warning  and  response  systems  in  conjunction  with  physical  attacks. 
When  attackers  use  cyberattacks  to  degrade  state  defenses  to  physical  attacks  in  this  manner, 
they  exponentially  amplify  the  likely  total  damage  from  a  physical  attack."^  Given  the 
devastating  impact  that  cyberattacks  can  have  on  a  population’s  sense  of  security,  economic 
well-being  and  safety,  it  is  imperative  for  states  to  defend  themselves  with  the  best  computer 
defenses  allowed  under  the  law. 

C.  Defenses  against  Cyberattacks 

Today,  computer  security  is  typically  divided  into  four  general  categories:  system  access 
controls,  data  access  controls,  security  administration,  and  secure  system  design. These 
defenses  function  on  the  general  axiom  of  computer  security  that  states  can  limit  the  damage 
from  cyberattacks  by  reducing  an  attacker’s  ability  to  gain  unauthorized  access  to  a  computer 


COLARIK,  supra  note  6,  at  13 1. 

"’W. 

Shea,  supra  note  13,  at  CRS-9. 

COLARIK,  supra  note  6,  at  138-40;  CRITICAL  INFRASTRUCTURE  THREATS,  supra  note  78,  at  VII-7;  SHEA, 
supra  note  13,  at  CRS-9.  Furthermore,  evidence  indicates  that  terrorists  are  conducting  cybersurveillance  on 
U.S.  critical  infrastructure  for  this  purpose.  SHEA,  supra  note  13,  at  CRS-6  to  CRS-7. 

Lehtinen  ET  AL.,  supra  note  36,  at  49-50. 


24 


system.'^'  The  more  secure  a  system  is  designed,  the  more  difficult  it  is  for  attackers  to 

122 

penetrate  the  system  and  cause  harm. 

However,  computer  security  has  a  potential  fifth  category;  active  defenses.  The 
difference  between  passive  defenses  and  active  defenses  is  that  passive  defenses  do  not  use 
force,  and  as  a  result,  are  considered  lawful  under  international  law.’^‘*  Active  defenses,  on 
the  other  hand,  employ  electronic  force  to  counterattack  the  source  of  a  cyberattack,  and  may 
only  be  used  when  force  is  authorized  under  the  law  of  war.'^^  So  far,  states  have  confined 
their  computer  security  to  passive  defenses,  as  active  defenses  are  forbidden  under  the 
prevailing  view  of  the  law  of  war.'^^  However,  all  five  categories  of  computer  security 
provide  states  with  essential  tools  to  protect  themselves  from  cyberattacks. 

The  first  form  of  passive  defenses  is  system  access  controls.  They  prevent  unauthorized 

1  ^7 

users  from  getting  into  a  system,  and  force  authorized  users  to  be  security  conscious. 

System  access  controls  start  with  identification  and  authentication.'^*  This  may  be  as  simple 


See  COLARIK,  supra  note  6,  at  83  (noting  that  without  access,  all  an  attacker  can  do  is  shut  down  a  system  or 
prevent  access  to  it). 

See  Lehtinen  et  al.,  supra  note  36,  at  49  (noting  that  computer  security  makes  sure  computers  do  what 
they’re  supposed  to  do  by  protecting  the  data  stored  in  a  computer  from  being  read,  destroyed  or  modified  by 
those  without  authorized  access). 

See  Jensen,  supra  note  5,  at  230. 

Id. 

Id.  at  231. 

See  supra  Part  II. A. 

Lehtinen  et  al.,  supra  note  36,  at  49. 

Identification  is  the  way  users  tell  the  system  who  they  are.  Authentication  is  the  way  users  prove  to  a 
system  they  are  who  they  say  they  are.  Id.  at  50-51. 


25 


as  providing  a  username  and  password, or  it  may  require  technological  devices  to  login, 
such  as  an  electronic  key,  token,  badge  or  smart  card.'^*^  Some  systems  are  so  advanced  that 
biometric  or  behavioral  information  is  required  to  access  them,  such  as  fingerprints, 
handprints,  retina  pattern,  iris  pattern,  voice,  signature  or  keystroke  patterns.'^'  Other  system 
access  controls  include  transmission  encryption, challenge  and  response  procedures, and 
password  controls.*^”* 

Data  access  controls  are  similar  to  system  access  controls,  except  that  instead  of 
protecting  the  system  at-large,  their  protection  is  aimed  at  the  data  and  programs  inside  the 
system. Authorization  is  the  key  to  data  access  controls.  It  checks  to  see  if  the  users  of  a 
system  have  rights  to  access  particular  files.  Data  access  controls  allow  multiple  users  to 


at  51. 

These  devices  contain  electronic  code  that  allows  you  to  access  a  system,  and  may  even  be  so  sophisticated 
as  to  continually  calculate  new  passwords  based  on  time-of-day  or  secure  algorithms.  The  computer  system 
being  accessed  will  have  matching  information  to  the  security  device,  and  will  grant  access  once  the  petitioning 
party’s  password  matches.  Id. 

Lehtinen  ET  AL.,  supra  note  36,  at  52.  Encryption  scrambles  data  during  transmission,  which  can  only  be 
unlocked  with  the  correct  session  key.  There  are  numerous  encryption  protocols  that  can  be  used,  such  as  DES, 
Kerberos  and  Rijndael,  all  of  which  use  some  version  of  session  keys  to  authenticate  messages  and  protect 
communications.  See  Lehtinen  ET  AL.,  supra  note  36,  at  137-72;  COLARIK,  supra  note  6,  at  72-73. 

Challenge  and  response  is  when  users  are  asked  to  re-authenticate  themselves  frequently  at  random  intervals 
throughout  their  session  with  the  system.  LEHTINEN  ET  AL.,  supra  note  36,  at  52. 

Password  controls  may  attempt  to  stop  unauthorized  users  from  accessing  a  system.  These  controls  can 
range  from  warning  messages  to  unauthorized  users,  to  limiting  the  number  of  attempts  to  enter  the  correct 
password,  to  implementing  login  failure  wait  times  between  attempts,  to  password  locks  for  incorrect  logins. 
Password  controls  may  also  force  users  to  be  more  security  conscious.  These  controls  can  range  from  forcing 
them  to  change  their  password  at  regular  intervals,  to  requiring  minimum  length  passwords,  to  showing  users 
the  date/time  of  their  last  login.  Id.  at  59-60. 

Id.  at  50. 

Systems  typically  maintain  a  file  containing  information  about  user  privileges  and  characteristics.  This  is 
often  called  a  security  profile.  Id.  at  61-62. 


26 


1  "^7 

use  a  system  without  having  to  grant  everyone  access  to  every  file  on  the  system.  Other 
data  access  controls  include  data  storage  encryption  and  reference  monitors. 

Security  administration  is  the  human  side  of  computer  security. It  uses  security 
procedures  to  protect  a  system,  delineates  system  administrator  responsibilities,  ensures  users 
are  trained  on  computer  security,  and  monitors  users  to  ensure  security  policies  are 
observed.*'**  Examples  of  security  administration  are  setting  and  publicizing  security 
policies,*'*^  performing  risk  analysis  and  disaster  planning,*'*^  training  and  monitoring 
employees,*'*'*  creating  and  maintaining  user  security  profiles,*'*^  penetration  testing,*'*^ 


‘”5ee  Lehtinen  EJ  KL.,  supra  note  36,  at  61-67;  COLARlK,5«p/-fl  note  6,  at  69-71.  This  is  another  important 
layer  of  security  on  top  of  system  access  controls,  as  it  helps  stop  attackers  from  accessing  sensitive  data/ 
programs  after  they’ve  gained  unauthorized  access  to  a  system.  Lehtinen  ET  AL.,  supra  note  36,  at  66. 

Encryption  of  stored  data  helps  prevent  the  access  of  and  tampering  with  sensitive  information.  COLARlK, 
supra  note  6,  at  7 1 . 

Reference  monitors  review  access  attempts  and  cross-reference  them  against  user  security  profiles.  If  a  user 
attempts  to  access  files  above  their  access  level,  then  the  reference  monitor  alerts  the  system  administrator.  Id. 

'‘'®  Lehtinen  et  al.,  supra  note  36,  at  96. 

Id.  at  50. 

Security  policies  are  designed  to  make  systems  more  secure.  An  example  of  a  security  policy  is  the 
separation  of  administrator  duties.  The  separation  of  duties  prevents  any  one  user  from  controlling  the  system’s 
security  mechanisms.  By  separating  duties  among  a  group  of  individuals,  it  becomes  harder  for  cyberattackers 
to  take  control  of  a  system  through  the  impersonation  of  an  individual  account.  Id.  at  97, 108-10. 

Id.  at  97. 

144^^ 

Lehtinen  et  al.,  supra  note  36,  at  97. 

Penetration  testing  is  when  the  system  administrator  simulates  cyberattacks  to  test  a  computer  system  for 
security  holes.  Id.  at  97,  107-08. 


27 


backing  up  system  files, arranging  for  the  use  of  other  computer  facilities  or  equipment  in 
case  of  an  emergency,*"**  and  performing  security  audits.'"*^ 

Secure  system  design  uses  hardware  and  software  to  protect  the  system.****  Examples  of 
security  hardware  are  segmented  system  memory,***  physical  gateways,**^  and  building  a 
system  to  withstand  denial-of-service  attacks.  Examples  of  security  software  are  anti-virus 
programs,**"*  encryption  programs,  firewalls,***  and  intrusion  detection  systems.**^ 


Backing  up  data  may  occur  on  site  or  at  remote  secure  facilities,  and  is  one  of  the  most  important  things  a 
system  administrator  can  do  to  enable  a  compromised  system  to  recover  from  a  cyberattack.  Id.  at  96, 1 02. 

Backup  systems  may  be  essential  in  case  a  cyberattack  cripples  an  organization’s  primary  systems.  Id.  at  96. 

Security  audits  review  user  profiles  and  activity  within  a  system,  and  look  for  suspicious  account  settings  or 
activity.  An  effective  component  of  a  security  audit  is  to  review  audit  logs/trails.  Audit  logs/trails  are  designed 
to  record  activities  and  events  within  a  computer  system.  Reviewing  audit  logs  can  reveal  security  breaches 
inside  a  system,  and  help  trace  the  attacks  back  to  their  source.  For  instance,  an  audit  log  might  contain 
information  about  the  origin  of  a  computer  transmission,  show  which  files  were  accessed  or  attempted  to  be 
accessed,  and  reveal  changes  to  the  computer  system.  LEHTINEN  ET  AL.,  supra  note  36,  at  108-09;  COLARIK, 
supra  note  6,  at  71-72  (2006). 

LEHTINEN  ET  AL.,  supra  note  36,  at  50. 

Segmented  system  memory  physically  isolates  privileged  processes  from  non-privileged  processes.  Id. 

The  easiest  way  to  secure  a  computer  network  is  to  physically  isolate  it  from  the  outside  world.  However,  as 
systems  become  increasingly  dependent  on  global  communication  to  achieve  their  purpose,  this  becomes  more 
difficult  to  do.  There  is  a  middle  ground  though.  Systems  can  be  physically  designed  so  that  communication  to 
and  from  the  system  are  routed  through  a  single  channel,  known  as  a  gateway.  Gateways  can  be  designed  to 
run  a  variety  of  security  programs,  all  aimed  at  ensuring  that  communication  is  coming  from  trusted  sources  for 
legitimate  purposes.  Id.  at  189. 

This  can  include  increasing  bandwidth  to  handle  the  scope  of  the  attack;  building  redundant  or  fault-tolerant 
systems  that  are  harder  to  disrupt;  or  building  the  network  so  that  it  is  easy  to  reconfigure  in  case  of  attack.  See 
id.  at  196. 

Anti-virus  programs  contain  registries  of  virus  code  patterns,  which  can  be  used  to  detect  viruses.  Anti-virus 
programs  lurk  in  the  background  of  computer  systems,  constantly  running  and  scaiming  ongoing  processes  and 
incoming  data  for  viral  code.  Upon  detecting  a  potential  virus,  it  sounds  an  alarm  and  attempts  to 
isolate/quarantine  the  dangerous  code.  Id.  92-93. 

“Firewalls  protect  computer  systems  by  examining  each  packet  of  data  that  travels  over  the  network.  Clues 
about  a  packet’s  purpose  can  be  read  from  its  destination  address.  Firewalls  contain  a  list  of  allowed  and 
disallowed  destinations  and  functions.  If  a  packet  is  heading  for  a  forbidden  address  or  comes  from  one,  the 
firewall  stops  it.  If  a  packet  is  heading  to  a  valid  address,  but  its  port  identifier  (the  clue  to  the  packet’s 
function)  is  unknown  or  disallowed,  the  firewall  stops  that  packet  as  well.  Advanced  firewalls  even  keep  track 


28 


Active  defenses  involve  an  in-kind  response  to  a  cyberattack,  effectively  a  counter¬ 
cyberattack  against  the  attacker’s  system,  shutting  down  the  attack  before  it  can  do  further 
damage  and/or  damaging  the  perpetrator’s  system  to  stop  it  from  launching  future  attacks. 
Security  professionals  can  set  up  active  defenses  to  automatically  respond  to  attacks  against 
critical  systems,  or  can  carry  them  out  manually.*^^  For  the  most  part,  active  defenses  are 
classified,  though  programs  that  send  destructive  viruses  back  to  the  perpetrator’s  machine  or 
packet- flood  the  intruder’s  machine  have  entered  the  public  domain. The  specific 
capabilities  that  the  government  has  developed  are  beyond  the  scope  of  this  paper;  however, 
it  is  essential  to  note  that  active  defenses  greatly  enhance  victim-states’  defensive  capabilities 
against  cyberattacks  by  providing  them  a  crucial  additional  option  over  passive  defenses 
alone. 

Defending  against  cyberattacks  goes  beyond  computer  security.  On  the  macro  level  in  the 
United  States,  “the  federal  government  has  taken  steps  to  . . .  encourage  the  private  sector  to 
also  adopt  stronger  computer  security  policies  and  practices  to  reduce  infrastructure 


of  outgoing  packets,  and  open  up  only  if  a  packet  is  expected  and  returning.”  Firewalls  help  prevent  active 
threats  such  as  worms  and  viruses,  which  attempt  to  enter  a  computer  via  forbidden  pathways.  Id.  92. 

Intrusion  detection  systems  monitor  systems  for  attacks,  much  like  anti-virus  programs  do  for  viruses.  The 
intrusion  detection  systems  have  libraries  of  the  steps  that  attackers  typically  take  to  conduct  attacks.  If  an 
attack  pattern  is  identified,  it  tries  to  stop  the  transaction  (if  it  can)  and  places  a  call  to  the  system  administrator, 
informing  them  of  the  attempted  attack.  Id.  at  107. 

See  Jensen,  supra  note  5,  at  23 1 ;  Condron,  supra  note  24,  at  4 1 0-1 1 . 

See  Jensen,  supra  note  5,  at  23 1 ;  David  Wheeler  &  Gregory  Larsen,  Techniques  for  Cyber  Attack  Attribution, 
Inst.  DEF.  Analysis,  Oct.  2003,  at  23-24,  available  at  http://www.dtic.mil/cgi-bin/GetTRDoc7AD 
=ADA468859&Location=U2&doc=GetTRDoc.pdf 

See  Jensen,  supra  note  5,  at  23 1 ;  Condron,  supra  note  24,  at  4 10-1 1 . 

See  Shachtman,  supra  note  26  (quoting  the  Air  Force  Research  Laboratory  as  saying  that  passive  defenses 
are  insufficient  to  stop  cyberattacks,  and  that  active  defenses  are  needed  to  mount  an  effective  defense  against 
cyberattacks);  Crovitz,  supra  note  14,  at  17  (arguing  active  defenses  are  needed  to  stop  the  cyberthreat). 


29 


vulnerabilities.”^^'  The  National  Strategy  to  Secure  Cyberspace  encourages  the  private 
sector  to  partner  with  federal  agencies  to  improve  computer  security  for  U.S.  critical 
infrastructure.'^^  The  National  Cyber  Security  Division  of  the  Department  of  Homeland 
Security  is  “tasked  with  conducting  analysis  of  cyberspace  threats  and  vulnerabilities,  issuing 
alerts  and  warnings  for  cyberthreats,  improving  information  sharing,  responding  to  major 
cybersecurity  incidents,  and  aiding  in  national-level  recovery  efforts.”' Furthermore,  the 
government  has  set  up  the  Cyber  Warning  and  Information  Network  and  National  Cyber 
Alert  System,  which  is  an  early  warning  system  for  cyberattacks  across  the  United  States  that 
coordinates  national  cybersecurity  defenses  across  critical  U.S.  sectors.'^'* 

Unfortunately,  computer  security,  in  its  present  form,  is  not  enough  to  stop  cyberattacks. 
Computer  software  frequently  has  design  flaws  that  open  systems  to  attack,  despite  system 
administrators’  best  efforts  to  fully  secure  their  computer  systems. These  design  flaws  are 
compounded  by  administrator  and  user  carelessness  in  both  system  design  and  use,  which 
often  nullify  the  security  measures  put  in  place  to  defend  a  system. Furthermore,  poor 
design  of  federal  computer  networks  has  left  them  with  more  entry  points  than  U.S.  early 
warning  programs  can  effectively  monitor  at  one  time,  leaving  U.S.  computer  systems 


Wilson,  supra  note  1 5,  at  CRS-3 1 . 

Id. 

Id.  at  CRS-3 1  to  CRS-32. 

See  id.  at  CRS-24  to  CRS-26. 

See  LEHTINEN  ET  AL.,  supra  note  36,  at  96;  WILSON,  supra  note  15,  at  CRS-25. 


30 


1  fsl  ... 

vulnerable  to  attack  until  the  amount  of  entry  points  is  reduced.  These  vulnerabilities 
highlight  the  fact  that  passive  defenses  alone  are  not  enough  to  protect  states  from 
cyberattacks.  As  a  result,  it  is  likely  states  will  feel  the  need  to  use  active  defenses,  and,  in 
such  event,  it  would  be  best  if  the  law  could  provide  parameters  regarding  the  proper  use  of 
such  active  defenses.*^* 


See  Ryan  Naraine,  Chertoff Describes  'Manhattan  Project’ for  Cyber  Defenses,  EWEEK.COM,  Apr.  8,  2008, 
http.7/www.eweek.com/c/a/Security/Chertoff-Describes-Manhattan-Project-for-Cyber-Defenses  (referencing 
former  Secretary  of  Homeland  Security  Michael  ChertofFs  speech  on  federal  computer  systems’  vulnerability). 

Responding  to  cyberattacks  with  active  defenses  (a  forceful  response)  is  the  only  real  way  for  states  to 
protect  themselves  against  cyberattacks.  Given  the  inability  of  passive  defenses  to  completely  secure  state  CNI, 
states  will  look  to  the  law  to  help  prevent  cyberattacks  against  them.  The  law  can  deal  with  cyberattacks  in 
three  different  ways,  as  discussed  below.  However,  as  also  discussed  below,  the  two  non-forceful  methods  for 
dealing  with  cyberattacks  are  inadequate. 

First,  states  can  continue  to  treat  cyberattacks  as  a  criminal  matter.  However,  a  number  of  states  refuse  to 
enforce  their  criminal  laws  when  cyberattacks  are  directed  at  their  rival  states,  or  cooperate  in  international 
efforts  to  eliminate  cyberattacks.  These  actions  have  made  criminal  laws  insufficient  to  protect  states  from 
cyberattacks.  See  Creekman,  supra  note  24,  at  656-63;  see  also  supra  Part  II.A. 

Second,  states  can  try  to  use  international  treaties  as  a  way  to  combat  cyberattacks.  These  treaties  could  either 
regulate  state  responsibilities  concerning  international  cyberattacks,  or  regulate  the  architecture  and  code  used 
to  build  the  Internet.  See  generally  Brown,  supra  note  52  (discussing  the  importance  of  an  international 
convention  on  cyberattacks,  and  proposing  a  draft  convention  to  regulate  information  systems  in  armed 
conflict);  Hollis,  supra  note  23  (discussing  the  need  for  clear  international  laws  for  cyberspace);  Lessig,  supra 
note  53  (arguing  for  a  treaty  to  regulate  the  design  of  cyberspace  that  ensures  digital  identities  are  required  for 
everything  on  the  Internet;  this  would  make  it  easier  for  law  enforcement  to  trace  and  prosecute  cyberattacks). 
However,  since  meaningful  international  agreements  require  the  agreement  of  a  substantial  majority  of 
sovereign  states  on  a  common  framework,  it  seems  unlikely  that  any  comprehensive  treaty  will  be  forthcoming 
in  the  near  future.  See  LESSIG,  supra  note  52,  at  298-324.  Furthermore,  it  is  naVve  to  think  that  a  treaty  will  be  a 
way  to  get  states  to  cooperate,  as  states  like  China  and  Russia  are  already  turning  a  blind  eye  to  cyberattacks 
when  it’s  convenient  to  them,  despite  international  condemnation  of  the  cyberattacks  originating  from  them  so 
far,  and  numerous  United  Nations  General  Assembly  resolutions  calling  for  cooperation  against  cyberattacks. 
See  supra  Part  II.A  (discussing  China  and  Russia’s  unwillingness  to  cooperate  with  other  states  to  investigate 
and  prosecute  attackers);  infra  Part  VI.C  (discussing  the  U.N.  General  Assembly  resolutions  calling  for 
international  cooperation  to  eradicate  cyberattacks). 

Finally,  states  can  try  to  figure  a  way  around  the  legal  crisis  under  the  law  of  war,  so  that  states  can  employ 
active  defenses  in  addition  to  passive  defenses.  Of  these  options,  finding  a  way  to  authorize  active  defenses 
under  the  law  of  war  is  the  only  real  way  to  protect  states  from  cyberattacks.  This  is  because  the  first  two 
options  require  state  cooperation,  which  is  not  happening  at  present  and  seems  unlikely  to  happen  in  the  near 
future.  Also,  there  is  a  good  chance  that  a  forceful  response  (using  active  defenses)  will  act  as  a  coercive 
mechanism  to  push  uncooperative  states  into  changing  their  behavior,  since  no  state  wants  another  state 
operating  within  their  borders,  even  electronically. 


31 


IV.  The  General  Framework  of  Jus  ad  Bellum 


The  law  of  war  is  divided  into  two  principal  areas,yw5  ad  bellum  and  jus  in  bello}^^  Jus 
ad  bellum,  also  known  as  the  law  of  conflict  management,  is  the  legal  regime  governing  the 
transition  from  peace  to  war.'^®  Jus  in  bello,  also  known  as  the  law  of  armed  conflict, 
governs  the  actual  use  of  force  during  war.'^'  The  analysis  of  whether  states  can  respond  to 
cyberattacks  with  active  defenses  predominantly  falls  under  jus  ad  bellum,  since  jus  ad 
bellum  sets  forth:  (1)  the  thresholds  that  cyberattacks  must  cross  to  be  considered  a  use  of 
force,  which  then  brings  cyberattacks  under  the  law  of  war,  and  (2)  the  legal  options  that 
states  have  to  respond  to  cyberattacks. 

Historically,  the  transition  from  peace  to  war  fell  under  the  prerogative  of  the  sovereign; 
however,  it  came  under  international  law  following  World  War  II  with  the  ratification  of  the 
United  Nations  (U.N.)  Charter.  While  the  U.N.  Charter  is  not  the  only  source  of  jus  ad 

bellum,^^^  it  has  redefined  and  codified  “contemporary  jus  ad  bellum  in  its  entirety”  and  has 
become  the  starting  point  for  all  jus  ad  bellum  analysis.'^"*  The  relevant  articles  of  the  U.N. 


Wingfield,  supra  note  48,  at  3 1 . 

Jus  ad  bellum  “is  a  set  of  rules  that  govern  the  resort  to  armed  conflict  and  determine  whether  the  conflict  is 
lawful  or  unlawful  in  its  inception.”  It  governs  what  amounts  to  a  use  of  force,  and  when  force  is  authorized. 

Id.  at  31,  33. 

Jus  in  bello  “governs  the  behavior  of  both  belligerents  and  neutrals  during  hostilities.”  It  governs  what  types 
of  force  are  authorized,  and  places  limits  on  the  use  of  force.  M  at  1 3 1 . 

at  31. 

See  Hollis,  supra  note  22,  at  1039  (noting  that  jus  ad  bellum  comes  from  diverse  sources,  including  the  U.N. 
Charter,  international  humanitarian  law  treaties,  and  CIL). 

Wingfield,  iM/jra  note  48,  at  31, 37-38. 


32 


Charter  are  Articles  2(4),  39  and  51,  which  provide  the  framework  for  modem  jus  ad  helium 
analysis.’’^ 

A.  General  Prohibition  on  the  Use  of  Force 

Article  2(4)  prohibits  states  from  employing  “the  threat  or  use  of  force  against  the 
territorial  integrity  or  political  independence  of  [another]  state,  or  in  any  other  manner 
inconsistent  with  the  Purposes  of  the  United  Nations.”’’^  Sometimes  known  as  jus  contra 
helium}''''  Article  2(4)  criminalizes  both  the  aggressive  use  of  force  and  the  threat  of  the 

1  7R 

aggressive  use  of  force  by  states  as  crimes  against  international  peace  and  security. 

Although  the  U.N.  Charter  is  a  treaty  and  its  protections  apply  to  those  states  that  are  parties 
to  the  treaty,  the  prohibitions  contained  in  Article  2(4)  have  come  to  be  recognized  as  CIL  as 
well,  binding  on  all  states  across  the  globe. 

On  its  face.  Article  2(4)  might  suggest  that  the  threat  or  use  of  force  is  only  prohibited 
when  directed  against  the  territorial  integrity  or  political  independence  of  another  state. 

I  R  1 

This  is  not  the  case.  Article  2(4)  also  prohibits  any  threat  or  use  of  force  inconsistent  with 

W,  at  31,  37^0. 

U.N.  Charter  art.  2(4). 

Jus  contra  bellum  means  the  law  against  the  aggressive  use  of  force.  WINGFIELD,  supra  note  48,  at  38. 
at  31,  38-39. 

Schmitt,  supra  note  57,  at  521.  Unlike  treaty  based  law,  which  only  binds  parties  to  the  treaty,  CIL  binds  all 
states  to  it.  CIL  is  formed  when  state  practice  matures  to  the  point  that  it  evidences  opinio  juris  she 
necessitates,  a  belief  on  the  part  of  states  that  engaging  in  that  practice  is  legally  obligatory.  Id.  at  524.  See 
infra  notes  380-81  and  accompanying  text  (discussing  the  formation  of  CIL  in  depth). 

‘“M  at  521-22. 

Id. 


33 


the  purpose  of  the  United  Nations.'*^  When  read  in  conjunction  with  Article  1  of  the  U.N. 
Charter,  Article  2(4)  forbids  threats  or  uses  of  force  which  threaten  international  peace  and 
security.’*^  Thus,  states  may  not  threaten  to  use  or  actually  use  force  against  another  state 
unless  an  exception  is  carved  out  within  the  U.N.  Charter. This  position  is  further 
supported  by  Article  2(3),  which  requires  states  to  “settle  their  international  disputes  by 
peaceful  means  in  such  a  manner  that  international  peace  and  security,  and  justice,  are  not 
endangered.”'^^  Only  two  exceptions  exist  to  this  seemingly  all-encompassing  renunciation 
on  the  use  of  force:  actions  authorized  by  the  U.N.  Security  Council  and  self-defense. 

B.  Actions  Authorized  by  the  United  Nations  Security  Council 

The  first  exception  to  the  general  prohibition  on  the  use  of  force  is  actions  authorized  by 
the  United  Nations  Security  Council.  This  coercive  authority  stems  from  Article  42  of  the 
U.N.  Charter,  which  allows  the  Security  Council  to  use  military  force  to  restore  international 
peace  and  security.  However,  while  the  U.N.  Charter  grants  the  Security  Council  power  to 

U.N.  Charter  art.  2(4). 

See  U.N.  Charter  art.  1  (stating  that  the  purpose  of  the  United  Nations  is  to  maintain  international  peace 
and  security);  Schmitt,  supra  note  57,  at  522. 

YORAM  DINSTEIN,  WAR,  AGGRESSION  AND  SELF-DEFENCE  87-88  (4th  ed.  2005). 

U.N.  Charter  art.  2(3). 

Jensen,  supra  note  5,  at  216. 

See  U.N.  Charter  art.  39  (stating  that  the  Security  Council  shall  decide  what  constitutes  a  threat  to 
international  peace  and  security,  and  what  measures  to  take  in  response  to  any  such  threat);  U.N.  Charter  art.  42 
(granting  the  Security  Council  the  power  to  use  military  measures  to  restore  international  peace  and  security). 

See  U.N.  Charter  art.  51  (re-affirming  the  inherent  right  of  states  to  use  force  in  self-defense  under  CIL). 

U.N.  Charter  art  42. 


34 


use  military  force,  it  cannot  do  so  until  it  has  met  certain  conditions,  which  are  laid  out  in 
Articles  39,  41  and  42.’^° 

Article  39  is  the  first  threshold  that  the  Security  Council  must  cross  before  it  can  authorize 
the  use  of  force.  The  Security  Council  must  consider  whether  a  “threat  to  the  peace, 
breach  of  the  peace,  or  act  of  aggression”  exists.  Should  the  Security  Council  determine 

that  this  threshold  has  been  met,  in  essence  determining  that  a  state  has  violated  its 
obligations  under  Article  2(4),  the  Security  Council  may  then  move  on  to  Articles  41  and  42, 

1  Q-^ 

to  determine  the  appropriate  course  of  action  to  restore  international  peace  and  security. 

Article  41,  the  use  of  non-military  measures,  is  the  Charter’s  preferred  method  for 
restoring  international  peace  and  security.’^'*  Under  it,  the  Security  Council  may  authorize 
non-military  measures  to  coerce  an  offending  state  into  ceasing  its  aggression. The  non¬ 
military  measures  are  implemented  by  member  states  of  the  United  Nations  and  may  include 


Wingfield,  supra  note  48,  at  3 1 , 52-54. 

U.N.  Charter  art.  39. 

See  U.N.  CHARTER  art.  2(4),  39.  Remember,  states  are  generally  prohibited  from  threatening  to  use  or  using 
force,  and  are  required  to  seek  peaceful  means  to  resolve  their  disputes  with  each  other.  See  U.N.  CHARTER 
arts.  2(3),  2(4).  Fortunately,  the  drafters  of  the  Charter  understood  that  some  states  would  not  live  up  to  these 
requirements  and  created  a  framework  to  deal  with  them.  “As  an  exercise  of  the  international  community’s 
inherent  right  of  collective  self-defense.  Article  39  of  the  Charter  imposes  an  obligation  on  the  Security  Council 
to  maintain  international  peace  and  security.”  WINGFIELD,  note  48,  at  52.  From  this  obligation,  and 
through  the  mechanisms  prescribed  by  Articles  41  and  42,  the  Security  Council  derives  the  power  to  authorize 
the  force  against  states  who  threaten  the  peace.  Id.  at  52-54. 

See  Schmitt,  supra  note  57,  at  525. 

See  id. 


35 


the  “complete  interruption  of  economic  relations  . . .  and  other  means  of  communication,  and 
the  severance  of  diplomatic  relations.”*^^ 

Article  42,  the  use  of  military  measures,  like  Article  41,  requires  an  Article  39  threshold 
decision  to  be  made,  and  only  then  used  after  non-military  measures  have  proven 
unsuccessful,  or  after  the  Security  Council  determines  that  it  would  be  fhiitless  to  adopt 
them.'^’  However,  unlike  its  Article  41  powers,  the  Security  Council  may  only  authorize 
member  states  to  take  military  action;  it  cannot  compel  them  to  do  so.'^* 

C.  Self-Defense 


The  second  exception  to  the  general  prohibition  on  the  use  of  force  is  self-defense.  This 
defensive  right  of  states  is  enshrined  in  Article  51  of  the  U.N.  Charter,  which  proclaims  that 
“nothing  in  the  present  Charter  shall  impair  the  inherent  right  of  [states  to  engage  in] 
individual  or  collective  self-defense”  in  response  to  an  “armed  attack. As  the  text  of 
Article  51  implies,  the  right  of  self-defense  existed  long  before  the  U.N.  Charter,  and  has 


U.N.  Charter  art.  41.  Article  41  explicitly  recognizes  the  Security  Council’s  authority  to  give  orders  to 
member  states.  Wingfield,  supra  note  48,  at  53-54.  “The  Members  of  the  United  Nations  agree  to  accept  and 
carry  out  the  decisions  of  the  Security  Council  in  accordance  with  the  present  Charter.”  U.N.  CHARTER  art.  25. 

See  U.N.  CHARTER  art.  42;  Schmitt,  supra  note  57,  at  525. 

Wingfield,  supra  note  48,  at  54.  When  the  Security  Council  authorizes  the  use  of  force  against  a  state 
under  Article  42,  its  authorizing  resolution  serves  as  legal  authority.  The  Security  Council  can  authorize  states 
to  use  military  force  in  three  different  ways.  First,  it  can  authorize  states  to  use  force  to  enforce  its  resolution. 
Second,  it  can  authorize  international  organizations,  such  as  NATO,  to  use  force  on  its  behalf  Third,  it  can 
create  a  U.N.  military  force  and  ask  states  to  provide  military  forces  to  it.  In  all  of  the  cases,  state  participation 
is  strictly  voluntary  and  cannot  be  compelled.  SCHMITT,  supra  note  57,  at  525-28. 

U.N.  Charter  art.5 1 .  Article  5 1  only  allows  states  to  act  in  self-defense  until  the  Security  Council  takes 
action  to  restore  international  peace  and  security.  Furthermore,  states  are  required  to  immediately  report 
measures  taken  in  self-defense  to  the  Security  Council.  U.N.  CHARTER  art.5 1 ;  DiNSTEIN,  supra  note  1 84,  at  177 
(quoting  Article  51  of  the  U.N.  Charter). 


36 


been  re-affirmed  in  the  Charter  as  an  inherent  right  of  states  under  CIL.^°^  Self-defense  is 
derived  from  the  fundamental  right  of  states  to  survive,  allowing  them  the  self-help  measure 
of  using  force  defensively  to  protect  themselves  and  their  citizens.  Since  this  right  exists 

independent  of  and  has  not  been  subsumed  by  the  U.N.  Charter,  self-defense  analysis 
draws  on  both  the  provisions  of  Article  51  of  the  U.N.  Charter  and  the  principles  of  CIL. 

The  bedrock  principle  of  self-defense  is  that  it  may  be  invoked  in  response  to  an  armed 
attack.^*’"*  Unfortunately,  while  this  cornerstone  is  universally  recognized  under  international 
law,  ambiguity  in  the  U.N.  Charter  has  led  to  an  ongoing  debate  about  when  states  may 
invoke  self-defense.  This  is  because  the  Charter  never  defines  “armed  attack.”  Since 
the  timing  of  self-defense  is  contingent  on  an  armed  attack  occurring,  it  is  critical  to  resolve 
what  constitutes  an  armed  attack.^®’  This  debate  has  become  even  more  pronounced 
regarding  cyberattacks,  which  are  often  seen  as  a  use  of  force  short  of  armed  force,  making 

See  DINSTEIN,  supra  note  1 84,  at  1 75-82. 

Id.  at  175-76. 

See  Military  and  Paramilitary  Activities  in  and  against  Nicaragua  (Nicar.  v.  U.S.),  1986  l.C.J.  14,  94,  96-97 
(June  27)  (noting  that  the  inherent  right  of  self-defense  has  not  been  subsumed  by  the  U.N.  Charter);  DiNSTEIN, 
supra  note  184,  at  181  (citing  the  International  Court  of  Justice’s  (ICJ)  opinion  in  the  Nicaragua  case);  Jensen, 
supra  note  5,  at  221  (citing  the  ICJ’s  opinion  in  the  Nicaragua  case).  But  see  WINGFIELD,  supra  note  48,  at  41 
(citing  The  Charter  of  the  United  Nations;  A  Commentary  666  (Bruce  Simma  ed.  1994),  which 
concludes  that  Article  5 1  excludes  any  right  of  self-defense  “other  than  that  in  response  to  an  armed  attack”). 

See  DiNSTEIN,  supra  note  1 84,  at  1 8 1 ;  WINGFIELD,  supra  note  48,  at  4 1  (noting  that  the  Article  5 1  right  of 
self-defense  is  coextensive  with  the  right  of  self  defense  under  CIL). 

U.N.  CHARTER  art.  51. 

Hollis,  supra  note  22,  at  1040-41. 

See  U.N.  CHARTER;  WINGFIELD,  supra  note  48,  at  73;  Hollis,  supra  note  22,  at  1040-41. 

See  Wingfield,  supra  note  48,  at  41  (noting  that  the  pivotal  focal  point  in  any  self-defense  debate  is  the 
meaning  of  an  armed  attack,  since  that  will  determine  the  time  that  an  armed  attack  occurs  and  when  self- 
defense  may  be  invoked);  Jensen,  supra  note  5,  at  2 19-20. 


37 


cyberattacks  far  more  difficult  to  classify  than  traditional  attacks  with  conventional 
208 

weapons. 

Self-defense  analysis  is  further  complicated  because  of  competing  theories  among  legal 

scholars  on  the  interplay  between  the  U.N.  Charter  and  CIL.^^  Some  commentators  place 

heavier  emphasis  on  the  U.N.  Charter,  arguing  that  Article  51  limits  self-defense  to  responses 

against  actual  armed  attacks.  Others  place  more  emphasis  on  CIL,  arguing  for  a  broader 

^11 

interpretation  of  armed  attacks  that  includes  imminent  armed  attacks.  Imminent  armed 
attacks  are  addressed  in  Part  IV,  Section  D.  For  now,  it  is  worth  noting  that  while  there  are 
different  theories  about  the  definition  of  an  armed  attack,  once  a  state  is  targeted  with  an 
armed  attack,  the  state  and  its  allies  are  legally  authorized  to  use  force  against  the  aggressor. 

Self-defense  responses  must  comply  with  international  law.  Just  because  an  armed  attack 
has  occurred  against  a  victim-state  does  not  mean  that  the  victim-state  has  a  blank  check  to 
wage  unlimited  war  against  an  aggressor.^’^  Self-defense  must  comply  with  two  principles 
of  CIL — necessity  and  proportionality.^*^  Necessity  is  the  requirement  that  self-defense  is 


See  infra  Part  VI.  A  (addressing  the  question  of  whether  a  cyberattack  constitutes  an  armed  attack). 

See  Wingfield,  supra  note  48,  at  46-47  (noting  the  different  opinions  legal  scholars  have  on  the  interplay 
between  Article  51  and  CIL  regarding  anticipatory  self-defense);  Murphy,  supra  note  49,  at  705  (noting  the  lack 
of  consensus  on  the  legality  of  anticipatory  self-defense  due  to  competing  views  on  the  interplay  between  the 
U.N.  Charter  and  CIL). 

See  Jensen,  supra  note  5,  at  2 1 9-20;  Barkham,  supra  note  29,  at  74;  Murphy,  supra  note  49,  at  706-1 1 
(discussing  the  strict-constructionist  school  of  thought  on  the  U.N.  Charter  and  armed  attacks,  which  holds  that 
Article  51  of  the  U.N.  Charter  consumes  all  previous  CIL  relating  to  self-defense). 

See  Jensen,  supra  note  5,  at  221-26;  Barkham,  supra  note  29,  at  74-75;  Murphy,  supra  note  49,  at  706-1 1 
(discussing  the  imminent  threat  and  qualitative  threat  schools  of  thought  on  CIL  and  armed  attacks,  which  hold 
that  the  right  of  self-defense  under  CIL  still  exists  independent  of  Article  51  of  the  U.N.  Charter). 

See  DINSTEIN,  supra  note  1 84,  at  235-37. 

Wingfield,  supra  note  48,  at  4 1-44.  But  see  DlNSTEIN,  supra  note  1 84,  at  237, 242-43(noting  that  self- 
defense  must  comply  with  three  principles  of  CIL — necessity,  proportionality  and  immediacy;  under  this 


38 


actually  required  under  the  eireumstances  because  a  reasonable  settlement  could  not  be 
attained  through  peaceful  means?*'*  Therefore,  a  state  that  is  subject  to  an  all-out  invasion 
will,  no  doubt,  be  required  to  use  force  to  overcome  the  aggressor;  whereas  a  state  that  is 
subjeet  to  an  isolated  border  skirmish  might  not  need  to  use  force  to  protect  itself. 
Proportionality  requires  self-defense  actions  to  be  limited  to  the  amount  of  force  neeessary  to 
defeat  an  ongoing  attack  or  deter  future  aggression.  It  is  important  to  understand  that  this 
principle  does  not  require  the  size  and  scope  of  defensive  actions  to  be  similar  to  those  of  the 
attack.  A  defensive  action  may  need  to  employ  significantly  greater  force  than  the  attacker 
used  to  successfully  repel  the  attacker.^’’  The  key  is  to  determine  the  amount  of  force 
needed  to  either  defeat  the  current  attack  or  deter  future  attacks  from  occurring.  For  instance, 
after  an  all-out  invasion,  a  proportionate  response  might  entail  an  all-out  war  to  defeat  the 
aggressor’s  military,  including  the  use  of  nuclear  weapons,  since  that  may  be  the  only 
feasible  way  to  deter  future  attacks.^**  On  the  other  hand,  a  proportionate  response  to  an 
isolated  missile  strike  might  be  to  strike  the  launching  facility  for  that  missile.^'^  These 


analysis  immediacy  means  that  self-defense  measures  cannot  be  delayed  indefinitely  and  must  be  taken  in  a 
reasonable  amount  of  time  after  an  armed  attack). 

The  principle  of  immediacy  originated  in  relation  to  anticipatory  self-defense,  and,  for  the  most  part,  is  accepted 
as  a  third  principle  which  only  applies  to  anticipatory  self-defense.  See  infra  Part  IV. D. 

DINSTEIN,  supra  note  1 84,  at  237. 

'''  Id. 

See  Schmitt,  supra  note  57,  at  532. 

See  id 

See  Dinstein,  supra  note  1 84,  at  237-42. 

See  Wingfield,  supra  note  48,  at  48. 


39 


principles  define  the  scope  of  self-defense  responses,  and  provide  insight  into  the  rationale 
behind  when  self-defense  is  required. 


D.  Anticipatory  Self-Defense 


Anticipatory  self-defense  is  a  subset  of  self-defense.^^°  Its  basis  is  that  “aggression  often 
begins  without  shots  being  fired  or  borders  being  crossed. Sometimes  states  will  obtain 
information  which  reveals  that  an  armed  attack  is  about  to  be  launched  against  them.  While 
the  attack  has  not  yet  occurred,  “states  can  rightfully  defend  themselves  against  such 
violence. 

The  crux  of  the  issue,  therefore,  is  not  who  fired  the  first  shot  but  who 
embarked  upon  an  irreversible  course  of  action,  thereby  crossing  the  legal 
Rubicon.  The  casting  of  the  die,  rather  than  the  actual  opening  of  fire,  is  what 
starts  the  armed  attack.  It  would  be  absurd  to  require  that  the  defending  State 
should  sustain  and  absorb  a  devastating  (perhaps  a  fatal)  blow,  only  to  prove 
the  immaculate  conception  of  self-defense.^^^ 

Anticipatory  self-defense  is  a  long-standing  tenet  of  CIL,  dating  back  to  the  1836 
Caroline  case.^^'*  In  Caroline,  the  United  Kingdom  and  the  United  States  agreed  that  self- 


Michael  WalZER,  Just  and  Unjust  Wars  74  (1977);  see  also  Murphy,  supra  note  49,  at  706-1 1  (noting 
students  of  the  imminent  threat  and  qualitative  threat  schools  of  thought  on  CIL  treat  imminent  armed  attacks  as 
armed  attacks  for  purposes  of  self-defense).  But  see  Murphy,  supra  note  49,  at  706-1 1  (noting  some  legal 
scholars  strictly  construe  the  U.N.  Charter  to  authorize  self-defense  only  in  response  to  actual  armed  attacks). 

DinstEIN,  supra  note  1 84,  at  1 9 1 .  Dinstein  calls  this  interceptive  self-defense,  arguing  that  armed  attacks 
should  be  more  broadly  construed  than  invasive  force  across  national  borders;  however,  his  justification  for 
interceptive  self-defense  is  the  same  Justification  for  anticipatory  self-defense.  The  only  real  distinction 
between  the  Dinstein  and  other  legal  scholars  is  the  timing  of  anticipatory  self-defense,  which  shall  be 
addressed  in  this  section.  Barkham,  supra  note  29,  at  76-77. 

See  Barkham,  supra  note  29,  at  75;  Murphy,  supra  note  49,  at  705. 


40 


defense  was  lawful  in  advance  of  an  armed  attack,  when  “the  necessity  of  that  self-defense  is 
instant,  overwhelming  and  leaving  no  choice  of  means,  and  no  moment  for  deliberation.” 

As  discussed  in  Part  IV,  Section  C,  anticipatory  self-defense  is  not  a  universally  accepted 
principle  among  legal  scholars;  however,  despite  ongoing  debate,  stronger  arguments  exist 
in  support  of  anticipatory  self-defense  as  a  fundamental  axiom  of  international  law.  The 

real  question  then  becomes  when  states  can  act  in  anticipatory  self-defense. 


Wingfield,  supra  note  48,  at  47  (quoting  THE  CHARTER  OF  THE  UNITED  NATIONS:  A  COMMENTARY  675 
(Bruno  Simma  ed.  1994)  (quoting  then  Secretary  of  State  Daniel  Webster)). 

See  supra  Part  IV. C. 

International  law  is  derived  from  four  sources:  international  conventions,  international  custom  (as  evidence 
of  a  general  principle  accepted  as  law),  the  general  principles  of  law  recognized  by  civilized  nations,  and  the 
judicial  decisions  and  the  teachings  of  the  most  highly  qualified  international  legal  scholars  (as  a  subsidiary 
means  for  determining  the  rules  of  law).  See  WINGFIELD,  supra  note  48,  at  72  (quoting  Statute  of  the 
International  Court  of  Justice,  art.  38(1),  June  26,  1945, 59.  Stat.  1055,  1060  (1945)). 

With  regard  to  international  conventions,  the  text  of  the  U.N.  Charter  states  that  it  does  nothing  to  impair  the 
inherent  right  of  self-defense.  Even  more  persuasive  may  be  the  fact  that  the  French  language  version  of  the 
Charter,  which  is  equally  as  authoritative  as  the  English  version,  preserves  the  inherent  right  of  nations  to  act  in 
self-defense  in  situations  where  the  member-state  is  the  object  of  an  armed  aggression.  This  is  a  much  less 
restrictive  version,  which  supports  the  fact  that  the  drafters  intended  to  preserve  the  right  of  self-defense  as  it 
existed  prior  to  the  Charter.  See  Murphy,  supra  note  49,  at  706-15. 

With  regard  to  international  custom,  there  are  numerous  instances  of  states  justifying  their  actions  based  on 
anticipatory  self-defense  post-United  Nations  Charter.  Examples  include,  the  1962  quarantine  of  Cuba  by  the 
United  States,  the  1967  Arab-Israeli  war,  the  1981  Israeli  attack  against  an  Iraqi  nuclear  facility,  and  the  1986 
U.S.  bombing  against  Libya.  See  Murphy,  supra  note  49,  at  713;  Thomas  Franck,  When,  If  Ever,  May  States 
Deploy  Military  Force  Without  Prior  Security  Council  Authorization?,  5  WASH.  U.  J.L.  &  POL’ Y  51,59  (2001). 

With  regard  to  judicial  decisions,  the  ICJ  stated  that  self-defense  was  not  subsumed  by  the  U.N.  Charter.  The 
court  also  left  the  door  open  to  anticipatory  self-defense  as  a  valid  axiom  of  international  law,  but  chose  not  to 
resolve  the  issue  since  the  parties  in  the  case  had  not  raised  it.  See  Military  and  Paramilitary  Activities  in  and 
against  Nicaragua  (Nicar.  v.  U.S.),  1986  I.C.J.  14,  1 10  (June  27);  Dinstein,  supra  note  184,  at  181  (citing  the 
ICJ’s  opinion  in  Nicaragua)',  Jensen,  supra  note  5,  at  22 1  (citing  the  ICJ’s  opinion  in  Nicaragua). 

With  regard  to  legal  scholarship,  respected  scholars  seem  to  support  anticipatory  self-defense  as  a  maxim  of 
international  law.  See  WALZER,  supra  note  220,  at  82-85  (recognizing  the  Six  Day  War  as  a  lawful  use  of  force 
by  Israel  in  anticipation  of  an  imminent  armed  attack);  DiNSTEIN,  supra  note  1 84,  at  191  (rejecting  the  doctrine 
of  anticipatory  self-defense,  but  recognizing  the  right  of  interceptive  self-defense  before  an  attack  occurs); 
Wingfield,  supra  note  48,  at  47, 94  (recognizing  the  right  of  states  to  act  in  anticipatory  self-defense,  and 
noting  that  even  opponents  of  anticipatory  self-defense  concede  that  self-defense  may  begin  after  an  attack  is 
launched,  but  before  it  occurs);  Murphy,  supra  note  49,  at  706-15  (noting  that  even  strict-constructionists  admit 
that  self-defense  may  be  justified  on  moral  or  political  grounds);  Barkham,  supra  note  29,  at  75  (noting  that 
even  staunch  opponents  of  anticipatory  self-defense  allow  some  leeway  on  interpreting  when  an  attack  begins 


41 


The  legality  of  anticipatory  self-defense  actions  depends  on  the  imminency  of  an  attack. 
Imminency,  sometimes  called  immediacy  and  sometimes  referred  to  as  the  third  principle  of 
self-defense,  supplements  the  traditional  self-defense  principles  of  necessity  and 
proportionality  regarding  anticipations.  Generally  speaking,  imminency  allows  a  state  to 
use  force  against  an  identified  aggressor,  in  advance  of  an  armed  attack,  to  repel  the  attack 
before  it  is  launched.^^®  Initially,  the  concept  of  imminency  restricted  anticipatory  self- 
defense  to  situations  immediately  before  an  attack,  where  an  attack  was  detected,  but  there 
was  no  time  to  deliberate  about  other  means  of  preventing  the  attack  short  of  forceful  self- 
defense.^^*  The  principle  effectively  balanced  the  victim-state’s  right  to  ward  off  violence 
against  its  international  obligation  to  find  peaceful  means  to  resolve  disputes.  However, 
due  to  changes  in  the  nature  of  warfare,  imminency  has  evolved  significantly  since  then. 

Today,  imminency  allows  states  to  legally  employ  force  in  advance  of  an  attack,  at  the 
point  when  (1)  evidence  shows  that  an  aggressor  has  committed  itself  to  an  armed  attack,  and 


and  admits  that  technology  may  require  states  to  re-examine  the  starting  point  of  armed  attacks);  Schmitt,  supra 
note  57,  at  528-36  (recognizing  anticipatory  self-defense  as  a  valid  subset  of  self-defense). 

See  Schmitt,  supra  note  57,  at  528-36. 

See  id.  at  533. 

See  id.  at  533-34. 

See  id.  (recalling  the  standards  set  forth  in  the  Caroline  case). 

See  id.  at  534. 

See  id.  (noting  that  it  has  become  accepted  to  invoke  anticipatory  self-defense  earlier  and  earlier,  in  advance 
of  an  attack,  as  the  consequences  of  a  single  attack  become  more  severe  (in  the  case  of  chemical,  biological  or 
nuclear  weapons)  and  as  intelligence  gathering  tools  become  more  advanced  (satellite  imagery,  intercepted 
electronic  communications  and  other  state-of-the-art  surveillance  techniques)). 


42 


(2)  delaying  a  response  would  hinder  the  defender’s  ability  to  mount  a  meaningful  defense?^'* 

Thus,  imminency  is  actually  a  relative  concept,  which  operates  as  follows: 

Weak  states  may  lawfully  act  sooner  than  strong  ones  in  the  face  of  identical 
threats  because  they  are  at  a  greater  risk  as  time  passes.  In  the  same  vein,  it 
may  be  necessary  to  conduct  defensive  operations  against  a  terrorist  group 
long  before  a  planned  attack  because  there  is  unlikely  to  be  another 
opportunity  to  target  terrorists  before  they  strike. ...  In  other  words,  each 
situation  presents  a  case- specific  window  of  opportunity  within  which  a  State 
can  foil  an  impending  attack.^*^ 

Finally,  one  should  note  just  because  a  single  attack  may  be  finished,  does  not  mean  that 
future  attacks  are  not  imminent.  When  evidence  suggests  that  an  attack  is  part  of  an  ongoing 
campaign  against  a  state,  such  as  the  terrorist  attacks  against  the  United  States  on  9/1 1,  future 
armed  attacks  will  be  considered  imminent  and  anticipatory  self-defense  will  be 
authorized.^^’  Some  scholars  support  the  same  conclusion,  but  disagree  with  the  legal 
rationale  behind  it,  claiming  that  a  proportional  response  in  self-defense  to  a  single  armed 
attack  can  be  far  reaching  to  deter  future  attacks,  and  that  anticipatory  self-defense  is  the 
wrong  lens  through  which  to  view  the  response  to  an  ongoing  campaign. 


E.  Proportionate  Countermeasures  /  Reprisals 


See  id.  at  534-35. 

See  id.  at  534. 

See  id.  at  535-36. 

See  Murphy,  supra  note  49,  at  734-36  (arguing  that  self-defense  allowed  the  United  States  to  conduct  a  far 
reaching  campaign  against  A1  Qaeda  in  response  to  the  9/1 1  attacks  on  the  grounds  of  self-defense,  not 
anticipatory  self-defense). 


43 


Proportionate  countermeasures,  also  known  as  reprisals,  provide  another  way  for  states  to 
address  illegal  uses  of  force  against  them.  As  discussed  in  Part  IV,  Section  C,  no 
consensus  exists  as  to  what  constitutes  an  armed  attack,  which  creates  the  possibility  that  a 
cyberattack  may  be  seen  as  a  use  of  force  below  the  armed  attack  threshold.^'*®  As  a  result,  it 
is  important  to  explore  the  rights  that  states  have  to  react  to  illegal  uses  of  force  against  them 
which  fall  short  of  an  armed  attack. 

Proportionate  countermeasures  are  an  exception  to  the  general  rule  that  states  are  required 

to  solve  their  disputes  peacefully.^'*'  “A  reprisal  ‘is  an  act  which  is  unlawful  per  se,  imless  it 

can  be  justified  as  a  countermeasure  triggered  by  an  unlawful  act  and  is  designed  to  induce 

the  offending  state  to  return  to  full  compliance  with  the  law.’”^'*^  Should  a  state  decide  to  use 

proportionate  countermeasures,  it  must  comply  with  the  three  criteria  enumerated  by  the 

International  Court  of  Justice  (ICJ)  in  Gabcikovo-Nagymaros  Project}"*^  These  criteria  are: 

In  the  first  place  [countermeasures]  must  be  taken  in  response  to  a  previous 
international  wrongful  act  of  another  State  and  must  be  directed  against  that 
State.  . . .  Secondly,  the  injured  State  must  have  called  upon  the  State 
committing  the  wrongful  act  to  discontinue  its  wrongful  conduct  or  to  make 
reparation  for  it. . . .  [Third]  the  effects  of  a  countermeasure  must  be 
commensurate  with  the  injury  suffered,  taking  into  account  the  rights  in 
question.^'*'' 


See  Wingfield,  iwpra  note  48,  at  85;  Jensen,  supra  note  5,  at  220. 

See  supra  Part  IV.C. 

See  WmOFlELD,  supra  note  48,  at  84-85. 

See  id.  at  85  (quoting  THE  CHARTER  OF  THE  UNITED  NATIONS:  A  COMMENTARY  1 0 1  (Bruno  Simma  ed. 
1994)). 

Gabcikovo-Nagymaros  Project  (Hung.  v.  Slovk.),  1997  I.C.J.  7, 55-56  (Sept.  25)  (Merits). 

Id. 


44 


Reprisals  may  be  carried  out  in  various  ways.  Economic  and  political  coercion  are  the 
two  main  forms  of  reprisals;  however,  reprisals  could  also  include  the  use  of  limited 
cyberattacks  against  an  aggressor.^''^  The  limits  on  reprisals  are  that  they  may  not  involve  the 
use  of  force  contrary  to  Article  2(4)  of  the  U.N.  Charter;^'*®  however,  the  consensus  among 
international  scholars  is  that  this  prohibition  really  only  amounts  to  a  prohibition  against 
armed  force.^'*’  While  this  paper  contends  that  states  should  treat  certain  cyberattacks  as 
armed  attacks,  and  deal  with  them  using  self-defense  and  anticipatory  self-defense  legal 
principles,  reprisals  provide  an  important  alternate  theory  for  dealing  with  cyberattacks  to 
those  who  contend  that  cyberattacks  fall  short  of  the  armed  attack  threshold. 

The  general  framework  of  jus  ad  bellum  discussed  so  far  has  primarily  evolved  in 
response  to  state-on-state  attacks.  When  attacks  are  carried  out  by  non-state  actors  across 
state  borders,  it  complicates  the  framework  governing  state  responses  to  the  attacks.  Since 
most  cyberattacks  are  carried  out  by  non-state  actors,  this  paper  will  explore  jus  ad  bellum  in 
greater  depth  and  explain  the  intricacies  of  state  responses  to  attacks  by  non-state  actors. 

V.  Non-State  Actors  Complicate  the  General  Framework  of  Jus  ad  Bellum-,  However, 
Imputing  State  Responsibility  Allows  States  to  Deal  with  Them 


See  Wingfield,  supra  note  48,  at  84-92. 

See  id.  at  85. 

See  id.  at  87  (quoting  THE  CHARTER  OF  THE  UNITED  NATIONS:  A  COMMENTARY  1 12  (Bruno  Simma  ed. 
1994)). 

See  infra  Part  VI.A  (discussing  cyberattacks  as  armed  attacks). 


45 


International  cyberattacks  by  non-state  actors  complicate  the  general  framework  of  jus  ad 

bellum.  Since  the  prevailing  view  of  international  law  requires  states  to  attribute  an  attack  to 

a  state  or  its  agents  before  responding  with  force, states  feel  obligated  to  undertake 

lengthy,  time-consuming  investigations  before  responding  to  cyberattacks,  which  increases 

the  risks  that  the  cyberattack  poses  to  them.^^®  This  creates  a  dilemma  for  states.  While 

states  can  trace  an  attack  back  to  a  server  in  another  state,  identifying  who  is  at  the  other  end 

of  the  electronic  cormection  directing  the  attack  takes  more  time  than  states  have  to  make  a 

decision  about  how  to  respond  to  the  attack.  Thus,  the  prevailing  view  of  the  law  forces 

1 

states  into  a  response  crisis  during  an  international  cyberattack. 

Unfortunately,  a  lack  of  state  cooperation  has  exacerbated  the  response  crisis.  In  an 

ideal  world,  states  would  not  commit  cyberattacks  and  would  assist  victim-states  to  track 
down  their  attackers.  Under  this  utopian  paradigm,  states  could  contently  rely  on  passive 
defenses,  knowing  that  attackers  who  breached  their  defenses  would  be  hunted  down  and 
punished.  Unfortunately,  this  is  not  a  reality,  and  states  are  left  in  limbo  during  an  attack, 
wondering  who  attacked  them,  and  how  to  respond.  Yet  even  if  a  cyberattack  was 
attributable  to  a  non-state  actor  and  states  wanted  to  respond  with  force,  they  are  bound  not 
to  intervene  in  the  domestic  affairs  of  other  states.^^^  Not  surprisingly,  despite  a  lack  of  state 


See  Condron,  supra  note  24,  at  415;  Dinstein,  supra  note  184,  at  111. 

See  Condron,  supra  note  24,  at  407-08. 

See  supra  Part  II.A  (discussing  the  response  crisis). 

See  id.  (discussing  the  lack  of  state  cooperation  in  tracking  down  attackers). 

Hollis,  supra  note  22,  at  1049-50.  To  do  so  would  be  a  violation  of  the  sovereignty  of  the  other  state,  and 
would  be  in  violation  of  CIL.  Id. 


46 


cooperation,  states  attempt  to  respond  via  criminal  laws,  rather  than  risk  unlawfully  violating 
the  sovereignty  of  another  state?^"' 

There  is,  however,  a  way  to  avoid  the  attribution  problem  and  response  crisis.  When 
victim-states  can  lawfully  impute  a  cyberattack  to  its  state  of  origin,  it  can  immediately 
respond  with  force  under  the  law  of  war,  regardless  of  whether  the  attack  was  conducted  by 
the  state  itself  or  by  non-state  actors  within  it.  Thus,  imputing  state  responsibility  creates  a 
legal  path  for  states  to  respond  to  cyberattacks  with  active  defenses  in  a  timely  and  effective 
manner.  Given  the  technological  and  diplomatic  limitations  to  timely  attack  attribution,  it 
is  crucial  for  legal  scholars  to  reexamine  the  legal  regime  governing  state  responses  to 
cyberattacks  committed  by  non-state  actors  through  the  lens  of  imputed  responsibility. 

The  legal  analysis  for  determining  whether  cyberattacks  can  be  imputed  to  their  state  of 
origin  starts  with  the  underlying  law  behind  armed  attacks  by  non-state  actors.  From  there, 
the  analysis  continues  with  the  duties  states  have  to  one  another  concerning  non-state  actors 
within  their  territory,  then  moves  on  to  the  ways  to  impute  state  responsibility  for  acts  by 
non-state  actors,  and  ends  with  the  legality  of  cross-border  operations  against  other  states. 
This  part  examines  those  issues,  and  afterwards.  Part  VI  analyzes  cyberattacks  under  the 
framework  established  in  Parts  IV  and  V. 

A.  Armed  Attacks  by  Non-State  Actors 


See  supra  Part  II.A. 

See  infra  Part  VI.B-C. 

See  supra  Part  II.A  (discussing  the  attribution  problem). 


47 


Non-state  actors  can  and  have  committed  armed  attacks  against  states.  Most  legal 
scholars  believe  these  attacks  fall  under  the  law  of  war.  This  opinion  enjoys  broad  support 
from  all  four  sources  of  international  law:  international  conventions,  international  custom  (as 
evidence  of  a  general  principle  accepted  as  law),  the  general  principles  of  law  recognized  by 
civilized  nations,  and  the  judicial  decisions  and  teachings  of  the  most  highly  qualified 

^  CQ 

international  legal  scholars  (as  a  subsidiary  means  for  determining  the  rules  of  law). 

However,  since  this  opinion  is  not  universally  held,^^°  it  is  worth  discussing  at  some  length. 

Of  the  four  sources  of  international  law,  international  treaties  lend  the  least  support  for  the 
proposition  that  non-state  actors  may  commit  an  armed  attack.  This  is  because  their  support 
is,  at  best,  indirect,  stemming  from  their  silence  on  the  subject.  Their  silence  allows  states  to 
infer  support  for  this  proposition  because  no  treaty  has  ever  prohibited  states  from  treating 
attacks  by  non-state  actors  as  acts  of  war,  despite  the  opportunity  to  do  so.  As  noted  earlier, 
modem  jus  ad  helium  analysis  starts  with  the  U.N.  Charter.^^'  However,  the  Charter  was 
written  to  govern  armed  conflict  between  states.  As  a  result,  the  Charter  is  silent  about 


See  Dinstein,  supra  note  184,  at  187, 204;  WalZER,  rapra  note  220,  at  197-206  (discussing  various  terrorist 
campaigns);  Schmitt,  supra  note  57,  at  536-40  (discussing  the  Sept.  11,  2001  terrorist  attacks  by  A1  Qaeda). 

See  Dinstein,  supra  note  1 84,  at  204-08;  Michael  Schmitt,  Counter-Terrorism  and  the  Use  of  Force  in 
International  Law,  in  INTERNATIONAL  Law  AND  THE  WAR  ON  TERROR  7,  33-47  (Fred  L.  Borch  &  Paul  S. 
Wilson  eds.,  Naval  War  College  2003);  Schmitt,  supra  note  57,  at  536-40;  Rein  Mullerson,  Jus  AdBellum  and 
International  Terrorism,  in  INTERNATIONAL  LAW  AND  THE  WAR  ON  TERROR  75,  106-1 1  (Fred  L.  Borch  &  Paul 
S.  Wilson  eds.,  Naval  War  College  2003). 

See  Wingfield,  supra  note  48,  at  72  (quoting  Statute  of  the  International  Court  of  Justice,  art.  38(1),  June 
26,  1945,  59.  Stat.  1055,  1060  (1945)). 

Some  scholars  argue  that  the  law  of  war  only  governs  attacks  by  states.  Schmitt,  supra  note  57,  at  536. 

See  supra  Part  IV,  introduction. 

See  U.N.  CHARTER  art.  1  (stating  that  its  purpose  is  to  maintain  international  peace  and  security  through  the 
regulation  of  state  action);  Schmitt,  supra  note  57,  at  536  (noting  that  the  U.N.  Charter  was  drafted  to  regulate 
state-on-state  armed  conflicts);  Mullerson,  supra  note  258,  at  1 12  (stating  that  there  is  little  doubt  that  the 
drafters  of  the  Charter  had  not  contemplated  armed  attacks  by  non-state  actors). 


48 


armed  attacks  by  non-state  actors.^^^  While  it  appears  that  the  minimalist  language  of  Article 
51  allows  a  state  to  respond  in  self-defense  to  armed  attacks  against  it,^^"*  the  lack  of  any 
specific  language  on  point  forces  us  to  look  to  the  other  three  sources  of  international  law  to 
determine  the  controlling  standards  for  armed  attacks  by  non-state  actors. 

While  not  originally  envisioned  in  the  drafting  of  the  U.N.  Charter,  analysis  of  CIL 
reveals  that  “[i]t  is  now  incontrovertible  that  States  treat  the  law  of  self-defense  as  applicable 
to  acts  by  non-state  actors. The  international  community’s  response  to  the  terrorist 
attacks  of  September  1 1 ,  2001  (9/1 1)  crystallized  the  validity  of  this  principle.  Following 

the  9/1 1  attacks,  the  U.N.  Security  Council  passed  Resolution  1368,  which  characterized  the 
attacks  as  a  threat  to  international  peace  and  security  under  Article  39  of  the  Charter  and 
reaffirmed  the  United  States’  inherent  right  to  engage  in  either  individual  or  collective  self- 
defense  in  accordance  with  Article  5 1  of  the  Charter. Two  weeks  after  the  attacks,  when  it 
appeared  clear  that  A1  Qaeda  was  behind  the  attacks,  the  Security  Council  passed  Resolution 
1373,  once  again  affirming  the  United  States’  inherent  right  of  self-defense  in  response  to  the 


See  generally  U.N.  CHARTER  (making  no  mention  of  non-state  actors  anywhere  in  the  Charter). 

U.N.  Charter  art.  5 1 ;  Dinstein,  supra  note  1 84,  at  204  (noting  that  Article  5 1  regulates  state  responses  to 
armed  attacks,  but  never  specifies  the  character  of  the  perpetrator  of  the  attacks;  therefore  implying  that  self- 
defense  could  be  invoked  against  states  or  non-state  actors);  Schmitt,  supra  note  258,  at  33-34  (noting  that 
Chapter  VII  of  the  Cheirter,  which  includes  both  Articles  39  and  5 1 ,  dictates  what  states  may  do  in  the  face  of 
threats  to  international  peace  and  security  and  acts  of  aggression,  without  ever  stating  what  those  might  be).  But 
see  Schmitt,  supra  note  57,  at  536  (noting  a  number  of  commentators  assert  that  because  the  U.N.  Charter  does 
not  specifically  address  armed  attacks  by  non-state  actors,  those  attacks  therefore  fall  outside  the  scope  of  the 
law  of  war  and  should,  instead,  be  governed  by  international  and  domestic  criminal  laws). 

Schmitt,  supra  note  57,  at  539. 

See  Dinstein,  supra  note  184,  at  207-08;  Schmitt,  supra  note  258,  at  7-47;  Schmitt,  supra  note  57,  at  536- 
40;  MuIIerson,  supra  note  258,  at  84,  106-19. 

See  Schmitt,  supra  note  57,  at  536-37  (noting  that  at  the  time  Resolution  1 368  was  passed,  no  one  believed 
that  a  state  was  behind  the  attacks,  yet  the  attacks  were  found  to  be  a  threat  to  international  peace  and  security 
under  Article  39). 


49 


attacks.^^*  Both  of  these  Security  Council  declarations  are  particularly  significant  because 
the  9/1 1  attacks  could  have  been  dealt  with  under  Article  42  of  the  Charter,  but  instead  were 
dealt  with  under  Article  5 1 ,  despite  the  fact  that  the  attacks  were  committed  by  non-state 
actors.^^^  NATO,  the  Organization  of  American  States,  and  Australia  all  made  similar 
declarations,  invoking  the  collective  self-defense  provisions  of  their  mutual  defense  treaties, 
to  assist  the  United  States  in  its  response  to  the  9/1 1  attacks.^’®  The  statements  and  actions  of 
scores  of  other  states,  including  major  states  such  as  Russia,  China,  India,  Japan,  South 
Korea,  Pakistan,  Saudi  Arabia  and  Egypt,  lend  support  to  the  principle  that  attacks  by  non- 
state  actors  fall  under  the  law  of  war.  Finally,  this  principle  was  supported  by  the  ICJ  in  its 

2004  Advisory  Opinion  in  Legal  Consequences  of  the  Construction  of  a  Wall  in  the  Occupied 
Palestinian  Territory as  well  as  from  the  publications  of  legal  scholars. 


See  id  at  537. 

See  Schmitt,  supra  note  258,  at  1 6.  Had  the  Security  Council  wanted  to  deal  with  the  9/1 1  attacks  under 
Article  42  of  the  U.N.  Charter,  it  could  have  authorized  the  United  States,  a  coalition  of  forces,  or  a  regional 
organization  to  use  force  pursuant  to  it,  “as  the  Council  is  entitled  to  do  in  the  face  of  a  ‘threat  to  the  peace, 
breach  of  peace  or  act  of  aggression.’”  Id.  (quoting  Article  42  of  the  U.N.  Charter). 

NATO  unanimously  invoked  Article  5  of  the  Washington  Treaty,  based  on  Article  5 1  of  the  U.N.  Charter, 
which  provides  for  collective  self-defense  in  response  to  armed  attacks  against  a  member-state.  The 
Organization  of  American  States  invoked  the  collective  self-defense  provision  of  the  Rio  Treaty.  Australia 
invoked  Article  IV  of  the  ANZUS  Treaty.  See  id.  at  16-18. 

See  Schmitt,  supra  note  258,  at  18;  Schmitt,  supra  note  57,  at  538-39. 

See  DiNSTEIN,  supra  note  1 84,  at  204  (referencing  the  Separate  Opinions  of  Judge  Higgins  and  Judge 
Kooijmans,  as  well  as  the  Declaration  of  Judge  Buergenthal,  in  Legal  Consequences  of  the  Construction  of  a 
Wall  in  the  Occupied  Palestinian  Territory,  2004, 43  l.L.M.  1009,  1063,  1072,  1079  (2004)).  While  the  ICJ 
held  that  Israel  could  not  respond  in  self-defense  to  terrorist  attacks  from  non-state  actors  in  this  case,  the  court 
explicitly  stated  this  was  because  Israel  never  asserted  the  acts  were  imputable  to  a  state.  Legal  Consequences 
of  the  Construction  of  a  Wall  in  the  Occupied  Palestinian  Territory,  2004,  43  l.L.M.  1 009,  1050  (2004).  Thus, 
the  case  shows  that  attacks  by  non-state  actors  fall  under  the  law  of  war,  but  that  the  law  of  war  only  permits 
states  to  respond  in  self-defense  when  the  actions  of  the  non-state  actors  are  imputable  to  a  state,  which  wasn’t 
the  case  here. 

See  DinSTEIN,  supra  note  184,  at  204-08;  Schmitt,  supra  note  258,  at  33-47;  Schmitt,  supra  note  57,  at  536- 
40;  Mullerson,  supra  note  258,  at  106-11. 


50 


While  attacks  by  non-state  actors  fall  under  the  law  of  war,  the  law  of  war  only  allows 
states  to  forcibly  respond  to  these  attacks  when  the  attacks  are  imputable  to  a  state, 
meaning  the  state  also  bears  some  responsibility  for  the  actions  of  the  non-state  actors.  The 
next  step  of  the  analysis  toward  imputing  state  responsibility  for  these  attacks  is,  therefore,  to 
examine  the  duties  that  states  have  concerning  non-state  actors  within  their  territory. 

B.  Duties  Between  States 

“It  is  a  long  established  principle  of  international  law  that  ‘a  state  is  bound  to  use  due 
diligence  to  prevent  the  commission  within  its  dominions  of  criminal  acts  against  another 
nation  or  its  people. This  principle  is  reflected  in  numerous  state  declarations,  judicial 
opinions  and  publications  from  leading  scholars.^’^  State  declarations  that  support  this 
principle  include:  the  1970  Declaration  on  Friendly  Relations,  which  urges  states  to  “refrain 
from  .  .  .  acquiescing  [to]  organized  activities  within  [their]  territory  directed  towards  the 
commission  of  [civil  strife  or  terrorism  in  another  state];”  the  1994  Declaration  on 


See  supra  note  272  and  accompanying  text;  infra  Part  V.C-D. 

Schmitt,  supra  note  57,  at  540-41  (quoting  John  Basset  Moore  in  S.S.  Lotus  (Fr.  v.  Turk.)  1927  P.C.l.J.  (ser. 
A)  No.  10,  at  4,  88  (Moore,  J.,  dissenting)). 

See  DinstEIN,  supra  note  184,  at  205-06;  Schmitt,  supra  note  258,  at  39-40,  48;  Schmitt,  supra  note  57,  at 
541. 

Declaration  on  Principles  of  International  Law  Concerning  Friendly  Relations  and  Co-operation  Among 
States  in  Accordance  with  the  Charter  of  the  United  Nations,  G.A.  Res.  2625,  ^  1,  U.N.  GAOR,  25th  Sess., 
Annex,  Agenda  Item  85,  U.N.  Doc.  A/Res/2625  (Oct.  24,  1970);  see  also  Vincent-Joel  Proulx,  Babysitting 
Terrorists:  Should  States  Be  Strictly  Liable  for  Failing  to  Prevent  Transborder  Attacks?,  23  BERKELEY  J.  INT’L 
L.  615, 629  (2005);  Schmitt,  supra  note  258,  at  39-40  (quoting  the  1970  Declaration  on  Friendly  Relations). 


51 


Measures  to  Eliminate  Terrorism;^^*  and  the  1996  Declaration  on  the  Strengthening  of 
International  Security,  which  stated  that  states  “must  refrain  from  organizing,  instigating, 
assisting  or  participating  in  terrorist  acts  in  territories  of  other  States,  or  from  acquiescing  in 
or  encouraging  activities  within  their  territories  directed  towards  the  commission  of  such 
acts.”^^®  International  case  law  also  supports  this  principle.  In  Corfu  Channel,  “the 
International  Court  of  Justice  pronounced  that  every  state  is  under  an  obligation  ‘not  to  allow 
knowingly  its  territory  to  be  used  for  acts  contrary  to  the  rights  of  other  states.’”  In 
Tehran,  the  ICJ  re-affirmed  that  states  “are  required  under  international  law  to  take 
appropriate  acts  in  order  to  protect  the  interests”  of  other  states  from  non-state  actors  within 
their  borders.^**  Finally,  scholars  have  noted  this  principle  “is  so  widely  recognized  that  it 
should  not  fuel  a  debate. 

In  short,  it  is  clear  from  state  practice  and  opinio  juris  that  states  have  an  affirmative  duty 
to  prevent  non-state  actors  within  their  borders  from  committing  armed  attacks  on  other 


Schmitt,  supra  note  258,  at  40  (citing  the  1994  Declaration  on  Measures  to  Eliminate  International 
Terrorism,  G.A.  Res.  49/60,  U.N.  GAOR  6th  Comm.,  49th  Sess.,  84th  plen.  mtg.,  Annex,  U.N.  Doc.  A/49/743 
(1994)). 

Id.  at  48  (quoting  Declaration  to  Supplement  the  1994  Declaration  on  Measures  to  Eliminate  International 
Terrorism,  G.A.  Res.  51/210,  U.N.  GAOR  6th  Comm.,  51st  Sess.,  88th  plen.  mtg..  Annex,  U.N.  Doc.  A/51/631 
(1996)). 

Dinstein,  supra  note  184,  at  205-06  (quoting  Corfu  Channel  case  (Merits),  1949  l.C.J.  Rep.  4,  22  (Apr.  9)); 
see  also  Schmitt,  supra  note  258,  at  49. 

Dinstein,  supra  note  1 84,  at  206  (citing  Case  Concerning  United  States  Diplomatic  and  Consular  Staff  in 
Tehran,  1980  l.C.J.  Rep.  3,  32-33,  44  (May  24)). 

Proulx,  supra  note  277,  at  629-60;  see  also  DINSTEIN,  supra  note  1 84,  at  205-06  (noting  further  support 
from  Ian  Brownlie,  in  addition  to  himself);  Proulx,  supra  note  277,  at  659-66  (noting  further  support  from 
Davis  Brown,  Lee  Feinstein,  Matthew  Lippman  and  Anne-Marie  Slaughter);  Schmitt,  supra  note  258,  at  39-40, 
48;  Schmitt,  supra  note  57,  at  540-41. 


52 


states?*^  Toleration  of  such  attacks  constitutes  a  crime  under  international  law.^*"*  Thus,  “a 
host-state  that  has  the  capability  to  prevent  [an  armed  attack  by  non-state  actors]  but  fails  to 
do  so  will  inherently  fail  to  fulfill  its  duty”  under  international  law.  However,  it  is  not 
realistic  to  expect  states  to  completely  prevent  armed  attacks  by  non-state  actors  from  ever 
occurring.^*^  As  a  result,  the  dispositive  factor  in  evaluating  whether  states  live  up  to  their 
duty  “will  lie,  rather,  in  the  conduct  of  the  host-state  itself  in  addressing  the  potential  threat 
and  in  attaining  a  realistic  result  in  light  of  the  factual  circumstances.” 

In  and  of  itself,  the  duty  to  prevent  attacks  does  not  make  states  responsible  for  every 
cross-border  attack  by  non-state  actors  that  emanates  from  their  territory.  However,  it  does 
bridge  the  gap  between  the  actions  of  non-state  actors  and  state  responsibility  for  those  acts. 
The  next  section  completes  the  analysis  of  imputing  state  responsibility  for  the  cross-border 
attacks  of  non-state  actors. 

C.  Imputing  State  Responsibility  for  Acts  by  Non-State  Actors 


See  Proulx,  supra  note  277,  at  660  (referencing  this  duty  in  regard  to  terrorism).  State  practice  and  opinio 
juris  are  the  two  elements  that  the  international  legal  community  recognizes  as  the  basis  for  CIL.  Jeremy 
Marsh,  Lex  Lata  or  Lex  Ferenda.^  Rule  45  of  the  ICRC  Study  on  Customary  International  Humanitarian  Law, 
198  Mil,  L,  Rev.  1 16, 121  (2008).  State  practices,  state  declarations,  and  United  Nations  General  Assembly 
declarations  and  resolutions  are  all  forms  of  state  practice.  Restatement  (Third)  OF  THE  FOREIGN  RELATIONS 
Law  OF  THE  United  States  §  102  (1987)  [hereinafter  Restatement],  Furthermore,  these  declarations  and 
resolutions  serve  as  evidence  of  opinio  Juris.  Id.  §  103. 

See  DinsteIN,  supra  note  1 84,  at  207. 

Proulx,  supra  note  277,  at  660  (discussing  host-states’  duty  to  stop  acts  of  terrorism  against  other  states  when 
those  attacks  originate  from  within  their  borders). 

See  id.  at  662. 

^^^Id. 


53 


The  question  of  a  state’s  legal  responsibility  for  the  acts  of  non-state  actors  has  evolved 
significantly  during  the  past  37  years. Before  1972,  states  were  generally  not  viewed  as 
legally  responsible  for  the  acts  of  private  or  non-state  actors.^*^  Only  the  conduct  of  the  host- 
state’s  organs  was  imputable  to  it,  and  state  responsibility  arose  only  from  acts  by  qualifying 
“agents”  of  the  state. Qualified  agents  amounted  to  actors  whom  a  state  exercised  direct 
authority  over,  and  whom  the  state  directed  to  conduct  the  acts.  As  time  passed, 
international  law  shifted  away  from  a  direct  control  approach  and  moved  toward  an  indirect 
responsibility  approach  regarding  the  acts  of  non-state  actors.^^^  This  shift  began  with  the 
International  Tribunal  for  the  former  Yugoslavia’s  (ICTY)  seminal  opinion  on  state 
responsibility,  in  which  it  revised  the  effective  control  test  to  impute  host-state  responsibility 
for  the  actions  of  groups  of  non-state  actors  over  whom  a  state  had  “overall  control.” 


See  id.  at  616-19. 

See  id  at  6 19. 

See  id  at  619-20. 

See  Proulx,  supra  note  211,  at  620-2 1 .  The  standard  for  assessing  state  responsibility  under  this  paradigm 
was  the  “effective  control  test,”  which  was  first  espoused  by  the  ICJ  in  Nicaragua.  In  Nicaragua,  the  United 
States  financed,  organized,  trained,  supplied  and  equipped  contra  rebels,  who  were  fighting  against  the 
government  of  Nicaragua.  Yet  despite  the  contras  dependence  on  the  United  States,  the  ICJ  refused  to  hold  the 
United  States  legally  liable  for  the  contras’  actions.  The  court  took  the  view  that  while  the  United  States 
provided  decisive  support  to  the  contras,  a  state  was  not  legally  responsible  for  the  actions  of  non-state  actors 
unless  the  state  “had  effective  control  of  the  military  or  paramilitary  operations  in  the  course  of  which  the 
alleged  violations  were  committed.”  Id.  at  620-21  (quoting  the  Mcorogwo  case),  fiwr  jee  Mark  Baker, 

Terrorism  and  the  Inherent  Right  of  Self-Defense,  10  HOUS.  J.  iNT’L  L.  25,  41  (1987)  (raising  the  question  that 
state  responsibility  might  arise  from  the  mere  toleration  of  terrorist  groups  within  a  host-state’s  borders,  without 
providing  any  active  support). 

See  Proulx,  supra  note  277,  at  62 1-23. 

See  id.  (referring  to  the  Tadic  case.  Prosecutor  v.  Tadic,  Case  No.  IT-94-1-A,  l.C.T.Y.  App.  Ch.,  at  49  (July 
15,  1999),  in  which  the  court  held  that  states  were  responsible  for  the  acts  of  militarized  groups  when  the  state 
coordinated  or  helped  in  the  general  planning  of  the  group’s  military  activity).  This  shift  was  not  without 
precedent.  In  1923,  several  members  of  an  international  commission,  who  were  overseeing  the  delimitation  of 
the  Greek- Albanian  border,  were  assassinated  in  Greek  territory.  The  League  of  Nations  organized  a  special 
committee  to  address  the  legal  questions  involved.  While  the  committee  found  that  the  evidence  did  not  support 
Greek  responsibility,  “it  opined  that  a  host-state  could  be  held  responsible  in  like  circumstances  if  it  ‘neglected 


54 


While  overall  control  is  still  a  form  of  direct  control,  the  opinion  marked  a  significant 
relaxation  of  the  standard  for  state  responsibility.^®'^  The  shift  to  indirect  responsibility 
continued  through  the  middle  of  2001,  with  a  general  consensus  emerging  that  any  breach  of 
a  host-state’s  international  obligations  to  other  nations,  whether  from  treaty  law  or  customary 
law,  resulted  in  international  responsibility  for  the  host-state.  These  breaches  can  result 
from  a  state’s  acts  or  its  failure  to  act.^®^  This  consensus  solidified  following  the  9/1 1 


to  take  all  reasonable  measures  for  the  prevention  of  the  crime  and  pursuit,  arrest  and  bringing  to  justice  of  the 
criminal.’”  Id.  at  627  (quoting  the  Tellini  case,  4  League  of  Nations  O.J.  524  (1924)). 

While  not  yet  culminating  in  a  shift  in  international  law,  further  precedent  for  the  shift  to  indirect  state 
responsibility  comes  from  the  Tehran  case.  In  1979,  Iranian  student  militants  took  over  the  U.S.  embassy  and 
consulates  in  Iran.  The  ICJ  found  no  evidence  that  the  militants  were  operating  on  the  direct  behest  of  the 
Iranian  state,  and  therefore  found  that  the  attacks  could  not  be  attributed  to  the  state.  However,  the  court  also 
laid  some  blame  on  Iran,  finding  that  “Iran  was  not  ‘free  of  any  responsibility  in  regard  to  those  attacks;  for  its 
own  conduct  was  in  conflict  with  its  international  obligations.’”  “The  court  noted  that  Iran  had  a  ‘categorical 
duty’  to  protect  the  victims  of  the  attack.”  It  justified  this  position  on  the  grounds  that  Iran  bore  indirect 
responsibility  for  its  failure  “‘to  take  any  appropriate  steps  . . .  either  to  prevent  this  attack  or  to  stop  it  before  it 
reached  its  completion.’”  Id.  at  627-28  (quoting  from  the  Tehran  case,  Tehran  Hostages  Case  (U.S.  v.  Iran), 
1980I.C.J.  64  (May  24)). 

Lastly,  the  trend  towards  indirect  responsibility  was  evident  in  several  cases  before  the  Security  Council  in  the 
1990s.  In  several  cases  concerning  international  terrorism,  the  Security  Council  recognized  the  rights  of  injured 
states  to  pursue  terrorists  into  other  states  to  eliminate  their  bases  of  operation.  Examples  of  such  were  in  1995- 
96  when  Turkey  pursued  Kurdish  irregulars  on  Iraqi  soil;  in  1992  and  1995  when  Senegal  entered  Guinea- 
Bissau  to  strike  at  safe  havens  used  by  opposition  forces;  and  in  1998  when  the  United  States  bombed  parts  of 
Afghanistan  following  terrorist  attacks  on  U.S.  embassies  in  Tanzania  and  Kenya.  See  id.  at  630-31. 

See  Proulx,  supra  note  277,  at  621 . 

See  id.  at  622-23  (referencing  the  International  Law  Commission’s  adoption  of  the  2001  Draft  Articles  on 
the  Responsibility  of  States  for  Internationally  Wrongful  Acts,  U.N.  Doc.  A/CN.4/L.602/Rev.  1  (2001)).  After 
the  International  Law  Commission  approved  the  Draft  Articles,  the  United  Nations  General  Assembly  took  note 
of  them  and  commended  them  to  state  governments  on  two  different  occasions;  first  in  2001  and  next  in  2004. 
See  G.A.  Res.  56/83,  U.N.  Doc.  A/RES/56/83  (Jan.  28, 2002);  G.A.  Res.  59/35,  U.N.  Doc.  A/RES/59/35  (Dec. 
16,  2004). 

See  id.  at  626  (referencing  Article  2  of  the  2001  Draft  Articles  of  the  Responsibility  of  States  for 
Internationally  Wrongful  Acts). 


55 


terrorist  attacks  on  the  United  States,  bringing  us  to  today’s  framework  for  state 

707 

responsibility. 

September  1 1,  2001  marked  the  culmination  of  the  shift  of  state  responsibility  from  the 

70R 

paradigm  of  direct  control  to  indirect  responsibility.  On  that  date,  A1  Qaeda  terrorists 
hijacked  four  airplanes  and  flew  three  of  them  into  buildings  in  the  United  States,  killing 
more  than  three  thousand  U.S.  citizens,  in  what  was  widely  recognized  as  an  armed  attack.^^^ 
A1  Qaeda  was  based  in  Afghanistan,  which  at  the  time  was  ruled  by  the  Taliban.^°°  While 
the  Taliban  harbored  A1  Qaeda  and  occasionally  provided  it  limited  logistical  support,  the 
Taliban  did  not  exercise  effective  or  even  overall  control  over  A1  Qaeda.  Further 
distancing  the  Taliban  from  9/1 1  is  the  lack  of  evidence  suggesting  that  the  Taliban  knew  of 
the  9/1 1  attacks  beforehand,  or  even  endorsed  them  after  the  fact.^°^  Yet  despite  all  of  this,  it 
was  internationally  accepted  that  A1  Qaeda’s  acts  were  legally  imputable  to  the  Taliban,  and 
thus  Afghanistan,  because  it  had  harbored  and  sheltered  A1  Qaeda,  and  refused  to  stop  doing 
so,  even  after  being  warned  to  stop.^°^ 

Thus,  following  9/11,  state  responsibility  may  be  implied  based  on  a  state’s  failure  to 
fulfill  its  international  duty  to  prevent  non-state  actors  from  using  its  territory  to  attack  other 

See  generally  id.  at  61 8-19,  625-43  (explaining  the  shift  fi-om  direct  responsibility  to  indirect  responsibility 
for  the  acts  of  non-state  actors  and  the  state  of  the  law  post-9/ 1 1). 

See  id.  at  634-52. 

Schmitt,  supra  note  258,  at  33. 

See  Proulx,  supra  note  277,  at  634-37. 

See  id.  at  635-36. 

See  id.  at  636. 

See  id.  at  637-41. 


56 


states.^®'*  The  contemporary  doctrine  of  state  responsibility  does  not  require  a  causal  link 
between  a  wrongdoer  and  a  host-state;  rather,  it  focuses  on  the  state’s  duty  to  prevent  attacks 
from  its  territory  into  that  of  another.^®^  “Hence,  a  state’s  passiveness  or  indifference  toward 
[a  non-state  actor’s]  agendas  within  its  own  territory  might  trigger  its  responsibility,  possibly 
on  the  same  scale  as  though  it  had  actively  participated  in  planning.  Much  of  the  legal 
analysis  of  whether  a  state  is  responsible  will  “turn  on  an  ex-post  facto  analysis  of  whether 
the  state  could  have  put  more  effort  into  preventing  the  . . .  attack.”^®^ 

However,  even  when  state  responsibility  is  imputed  for  the  armed  attacks  of  non-state 
actors,  states  may  still  be  forbidden  from  responding  with  force.  The  final  step  in  the  legal 
analysis  for  determining  when  victim-states  can  forcibly  respond  to  the  armed  attacks  of  non¬ 
state  actors  ends  with  the  legality  of  cross-border  operations  against  other  states. 

D.  Cross  Border  Operations 

Cross-border  operations  into  the  territory  of  an  offending  state  are  the  natural 

^flR 

consequence  of  imputed  state  responsibility  for  the  armed  attacks  of  non-state  actors. 
However,  states  must  meet  a  number  of  legal  requirements  before  they  may  pursue  a  non¬ 
state  aggressor  into  another  state  in  self-defense.  To  understand  the  rationale  behind  why 

See  Tal  Becker,  Terrorism  and  the  State:  Rethinking  the  Rules  of  State  Responsibility  3  (2006); 
2001  Draft  Articles  on  the  Responsibility  of  States  for  Internationally  Wrongful  Acts,  U.N.  Doc.  A/CN.4/L.602/ 
Rev.  1  (2001). 

See  Becker,  supra  note  304,  at  3;  Proulx,  supra  note  277,  at  633. 

Proulx,  supra  note  277,  at  624. 

Id.  at  663-64. 

See  Schmitt,  supra  note  57,  at  540— 41 . 


57 


states  may  breach  a  host-state’s  general  right  to  territorial  integrity  in  self-defense  and  the 
requirements  states  must  meet  in  order  to  do  so,  one  must  first  look  to  the  U.N.  Charter’s 
general  prohibition  on  using  force  against  another  state. 

The  right  of  territorial  integrity  generally  gives  way  to  the  right  of  self-defense.^®^  The 
principle  underlying  this  balancing  act  is  that  when  one  state  violates  another  state’s 
territorial  integrity,  it  forfeits  its  own  right  to  territorial  integrity.  Of  course,  this  principle 
evolved  out  of  state-on-state  attacks.  Nonetheless,  it  may  be  applied  in  a  similar  manner 
when  states  are  indirectly  responsible  for  the  violations  of  another  state’s  territorial  integrity 
by  non-state  actors. 

Ascertaining  the  appropriate  balance  between  one  State’s  right  to  territorial 
integrity  and  another’s  right  to  self-defense  depends  in  part  on  the  extent  to 
which  the  former  has  complied  with  its  own  international  obligations  vis-a-vis 
the  latter.  It  is  a  long-established  principle  of  international  law  that  “a  State  is 
bound  to  use  due  diligence  to  prevent  the  commission  within  its  dominions  of 
criminal  acts  against  another  nation  or  its  people.” 

If  a  State  is  unable  or  unwilling  to  comply  with  this  obligation,  the  victim- 
state  may  then  cross  into  the  offending  State  to  conduct  defensive  operations. 

It  cannot  be  otherwise,  for  the  unwillingness  or  inability  of  one  State  to 
meet  its  legal  obligations  cannot  deprive  other  States  of  the  most  important 
right  found  in  international  law,  the  right  to  defend  oneself  against  an  armed 
attack.^'” 

As  always,  before  a  state  resorts  to  self-defense,  it  must  ensure  that  it  meets  the  criteria  of 
necessity,  proportionality,  and,  if  using  the  subset  of  anticipatory-self  defense,  imminency.^" 
Effectively,  a  state  must  have  no  viable  alternatives  to  the  use  of  force,  and  it  must  limit  its 


After  all,  “it  is  manifestly  legal  to  cross  into  another  State  to  conduct  military  operations  in  self-defense  if  it 
is  that  State  which  has  committed  aggression.”  Id.  at  540. 

Id.  at  540-42  (quoting  S.S.  Lotus  (Fr.  v.  Turk.)  1927  P.C.I.J.  (ser.  A)  No.  10,  at  4,  88  (Moore,  J., 
dissenting)). 

See  id.  at  542. 


58 


^  •  •  • 

use  of  force  to  securing  its  defensive  objectives.  Naturally,  no  two  situations  are  alike,  and 
justifications  for  self-defense  are  case-specific. 

The  application  of  these  requirements  may  vary  depending  on  whether  the  acts  of  the  non¬ 
state  actors  were  imputed  based  on  direct  control  or  indirect  attribution.  In  cases  of  direct 
control,  the  victim-state  may  immediately  fully  impute  responsibility  to  the  host-state  and  act 
in  self-defense  against  it  and  the  non-state  actors  inside  it.^'^  In  cases  of  indirect  attribution, 
victim-states  must  overcome  another  hurdle  before  conducting  cross-border  operations. 
Namely,  the  victim-state  must  ensure  that  it  has  properly  linked  the  actions  of  the  non-state 
actors  to  the  host-state;  this  may  be  achieved  by  issuing  a  demand  to  the  sanctuary  state  to 
“comply  with  its  obligation  to  prevent  its  territory  from  being  improperly  used.”^'"*  The 
sanctuary  state  must  then  act  against  the  non-state  actors,  or  willingly  allow  the  victim-state 
to  enter  its  territory  and  mount  operations  against  the  non-state  actors. Should  the  host- 
state  be  unwilling  to  meet  these  requirements,  the  victim-state  can  fully  impute  responsibility 
and  conduct  its  cross-border  operations  into  the  host-state.^'^  However,  in  doing  so,  the 
victim-state  must  limit  its  targets  to  the  non-state  actors,  unless  the  host-state  uses  force  to 
oppose  the  lawful  cross-border  operations.^ 


See  id. 

See  id.  at  543. 

Id.  at  542. 

See  id.  at  543. 

See  Proulx,  supra  note  111,  at  641-42;  Schmitt,  supra  note  57,  at  543;  Mullerson,  supra  note  258,  at  109. 
See  Schmitt,  supra  note  57,  at  543. 


59 


There  are  numerous  examples  of  internationally  accepted  cross-border  operations  into 
states  that  were  indirectly  responsible  for  the  actions  of  non-state  actors.  Examples  prior  to 
9/1 1  include:  Turkey’s  entrance  into  Iraq  in  1995  to  pursue  Kurdish  irregulars;  Senegal’s 
entrances  into  Guinea-Bissau  in  1992  and  1995  to  strike  safe  havens  used  by  opposition 

*5  1  o 

forces;  and  the  U.S.  bombings  of  Afghanistan  in  1998  to  stnke  at  terronst  training  camps. 
Post-9/1 1  examples  include:  Israel’s  initial  entrance  into  Lebanon  in  2006,  following 
Hezbollah’s  raid  into  Israel;^’^  and  Turkey’s  air  strikes  into  Iraq  in  2007  against  Kurdish 
irregulars.^^® 

Based  on  the  foregoing  analysis,  it  is  evident  that  victim-states  may  forcibly  respond  to 
armed  attacks  by  non-state  actors  located  in  another  state  when  host-states  violate  their  duty 
to  prevent  those  attacks.  With  cyberattacks,  imputing  state  responsibility  in  this  manner 
provides  states  a  legal  path  to  utilizing  active  defenses  without  having  to  conclusively 
attribute  an  attack  to  a  state  or  its  agents.  In  effect,  imputing  responsibility  is  the  equivalent 
of  attributing  the  attack  to  the  state  or  its  agents.  Thus,  imputing  responsibility  provides 
states  a  way  around  the  attribution  problem  and  response  crisis.  However,  just  because  there 
is  a  legal  pathway  to  get  around  the  requirement  that  armed  attacks  be  attributable  to  a  state 
or  its  agents,  does  not  mean  that  cyberattacks  by  non-state  actors  lend  themselves  to  this 
framework.  As  a  result,  it  is  imperative  to  explain  why  cyberattacks  constitute  armed 
attacks,  what  a  state’s  duty  to  prevent  cyberattacks  means,  and  the  factual  circumstances  that 

See  Proulx,  supra  note  277,  at  630-3 1 . 

See  Greg  Myre  &  Steven  Erlanger,  Clashes  Spread  to  Lebanon  as  Hezbollah  Raids  Israel,  N.Y.  TIMES,  July 
13, 2006,  at  Al. 

See  Sebnem  Arsu  &  Stephen  Farrell,  Turkey  Bombs  Kurds  in  Iraq;  2  Sides  Differ  on  Casualties,  N.Y.  TIMES, 
Dec.  23,  2007,  at  A27. 


60 


would  allow  a  victim-state  to  forcibly  respond  to  a  cyberattack,  all  of  which  are  addressed  in 
Part  VI. 

VI.  Analyzing  Cyberattacks  under  Jus  ad  Bellum 

Cyberattacks  represent  a  conundrum  for  legal  scholars.  Cyberattacks  come  in  many 
different  forms,  their  destructive  potential  only  limited  by  the  creativity  and  skill  of  the 
attackers  behind  them.^^^  While  it  may  seem  intuitive  that  such  attacks  can  constitute  armed 
attacks,  especially  in  light  of  their  ability  to  injure  or  kill,  the  legal  community  has  been 
reluctant  to  classify  them  this  way  because  they  do  not  resemble  “classic  attack[s]  with 
traditional  military  force.”^^^  Further  clouding  the  legal  waters  are  the  erroneous  views  of 
states  and  scholars  alike  on  the  need  for  states  to  attribute  cyberattacks  to  a  state  or  its  agents 
before  responding  with  force  under  the  law  of  war.  While  it  is  true  that  cyberattacks  do  not 
resemble  traditional  armed  attacks,  and  that  cyberattacks  are  difficult  to  attribute,  neither  of 
these  characteristics  of  cyberattacks  should  preclude  states  from  responding  with  force  under 
the  law  of  war.  This  part  explores  different  analytical  models  for  assessing  armed  attacks, 
the  logical  meaning  of  the  duty  of  prevention  as  it  relates  to  cyberattacks,  and  the 
technological  capacity  of  trace  programs  to  trace  attacks  back  to  their  point  of  origin.  After 
all  of  these  issues  are  examined,  it  becomes  clear  that  states  may  legally  use  active  defenses 
against  cyberattacks  originating  from  states  that  violate  their  duty  to  prevent  them. 

Wingfield,  supra  note  48,  at  100;  see  also  Part  III.A-B. 

Thomas  Wingfield,  When  is  a  Cyberattack  an  “Armed  Attack?’’:  Legal  Thresholds  for 
Distinguishing  Military  Activities  in  Cyberspace  6  (Cyber  Conflict  Studies  Assoc.,  2006);  see  also 
Greenberg  ET  al.,  supra  note  24,  at  xvii-xviii  (noting  the  ambiguous  state  of  international  law  regarding 
cyberattack  classification). 


61 


A.  Cyberattacks  as  Armed  Attacks 

Victim-states  must  be  able  to  classify  a  cyberattack  as  an  armed  attack  or  imminent  armed 
attack  before  responding  with  active  defenses.  This  is  because  armed  attacks  and  imminent 
armed  attacks  are  the  triggers  that  allow  states  to  respond  in  self-defense  or  anticipatory  self- 
defense.^^^  Ideally,  there  would  be  clear  rules  for  classifying  cyberattacks  as  armed  attacks, 
imminent  armed  attacks  or  lesser  uses  of  force.^^'*  Unfortunately,  since  cyberattacks  are  a 
relatively  new  attack  form,  international  efforts  to  classify  them  are  still  in  their  infancy, 
even  though  the  core  legal  principles  governing  armed  attacks  are  well  settled.  This  has 
left  the  questions  of  whether  cyberattacks  can  qualify  as  armed  attacks,  and  which 
cyberattacks  should  be  considered  armed  attacks,  as  open  questions  in  international  law. 

To  answer  these  questions,  this  section  examines  the  core  legal  principles  governing  armed 
attacks,  applies  them  to  cyberattacks,  explains  why  cyberattacks  can  qualify  as  armed 
attacks,  and  attempts  to  provide  some  insight  into  which  cyberattacks  should  be  considered 
armed  attacks. 


See  supra  Part  IV.C-D. 

See  Wingfield,  supra  note  322,  at  1-2,  13.  State  coercion  comes  in  three  different  forms:  threats  to 
international  peace  and  security,  uses  of  force,  and  armed  attacks.  Id.  at  2.  Threats  to  international  peace  and 
security  and  uses  of  force  are  both  prohibited  by  Article  2(4)  of  the  U.N.  Charter.  Armed  attacks,  including 
imminent  armed  attacks,  are  a  more  specific  subset  of  uses  of  force  that  trigger  a  victim-state’s  inherent  right  of 
self-defense  in  response  to  them  under  Article  51  of  the  U.N,  Charter.  See  id.  at  4-5. 

Id.  at  2-3,  13. 

Id.  at  12. 

Id. 


62 


“Armed  attack”  is  not  defined  by  any  international  convention.  As  a  result,  its  meaning 
has  been  left  open  to  interpretation  by  states  and  scholars.  While  this  might  sound 
problematic,  it  is  not.  The  framework  for  analyzing  armed  attacks  is  relatively  well  settled, 
as  are  the  core  legal  principles  governing  its  meaning.^^^  The  international  community 
generally  accepts  Jean  S.  Pictet’s  scope,  duration  and  intensity  test  as  the  starting  point  for 
evaluating  whether  a  particular  use  of  force  constitutes  an  armed  attack.^^°  Under  Pictet’s 
test,  a  use  of  force  is  an  armed  attack  when  it  is  of  sufficient  scope,  duration  and  intensity. 


See  Wingfield,  supra  note  48,  at  73  (noting  the  failure  of  international  treaties  to  define  “use  of  force,” 
“armed  force”  or  “armed  attack”). 

See  Wingfield,  supra  note  322,  at  12. 

See  Sharp,  Sr.,  supra  note  24,  at  57-58  (referencing  Commentary  on  the  Geneva  Convention 
Relative  to  the  protection  of  Civilian  persons  in  Time  of  War  1 7-2 1  (Jean  S.  Pictet  ed.,  1 958)); 
Wingfield,  supra  note  48,  at  57,  60-68  (referencing  COMMENTARY  ON  THE  GENEVA  CONVENTION  RELATIVE 
TO  THE  Protection  OF  Civilian  Persons  IN  Time  OF  War  17-21  (Jean  S.  Pictet  ed.,  1958)).  Courts  and 
scholars  have  also  used  a  similar  ‘scale  and  effects’  test  to  judge  whether  a  particular  attack  rises  to  the  level  of 
an  armed  attack  or  constitutes  a  lesser  use  of  force.  See  Military  and  Paramilitary  Activities  in  and  against 
Nicaragua  (Nicar.  v.  U.S.),  1986  I.C.J.  14, 214-16  (June  27);  DINSTEIN, 5wpra  note  184,  at  193-96(using  the 
‘scale  and  effects’  test  from  the  Nicaragua  case  to  assess  armed  attacks). 

Pictet  formulated  this  test  to  help  clarify  when  international  armed  conflict  exists  under  Common  Article  2  of 
the  Geneva  Conventions.  See  SHARP,  Sr.,  supra  note  24,  at  57-58;  WINGFIELD,  supra  note  48,  at  57-60. 
Common  Article  2  expresses  three  circumstances  under  which  international  armed  conflict  exists,  and  is  widely 
accepted  as  the  transition  point  between  peace  and  war.  WlNGFlELD,  supra  note  48,  at  57.  The  Common  Article 
2  circumstances  are:  a  declared  war  between  states,  the  partial  or  total  occupation  of  another  state,  or  any  other 
armed  conflict  between  states  (also  known  as  de  facto  hostilities).  Geneva  Convention  for  the  Amelioration  of 
the  Condition  of  the  Wounded  and  Sick  in  Armed  Forces  in  the  Field,  Aug.  12,  1949,  6  U.S.T.  3 1 14,  75 
U.N.T.S.  3 1  [hereinafter  Geneva  I].  Once  any  of  these  circumstances  are  met,  the  threshold  between  peace  and 
armed  conflict  is  crossed,  and  the  full  body  of  the  law  of  war  applies  in  its  entirety.  See  WINGFIELD,  supra  note 
48,  at  57-60.  Since  the  first  two  situations  are  relatively  straightforward,  the  bulk  of  the  law  focuses  on  what 
constitutes  an  armed  conflict.  See  id. 

The  Geneva  Conventions  generally  refers  to  the  four  Geneva  Conventions  of  1949.  Article  2  of  each 
convention  is  exactly  the  same,  which  is  why  it  is  called  a  common  article.  Individual  citations  are  as  follows: 
Geneva  I,  supra  note  330;  Geneva  Convention  for  the  Amelioration  of  the  Condition  of  the  Wounded,  and 
Shipwrecked  Members  of  Armed  Forces  at  Sea,  Aug.  12, 1949, 6  U.S.T.  3217,  75  U.N.T.S.  85;  Geneva 
Convention  Relative  to  the  Treatment  of  Prisoners  of  War,  Aug.  12,  1949,  6  U.S.T.  3316,  75  U.N.T.S.  135; 
Geneva  Convention  Relative  to  the  Protection  of  Civilian  Persons  in  Time  of  War,  Aug.  12,  1949,  6  U.S.T. 
3516,  75  U.N.T.S.  287. 

See  Wingfield,  supra  note  48,  at  57. 


63 


Of  course,  as  is  the  case  with  many  international  legal  concepts,  states,  non-governmental 
organizations  and  scholars  all  interpret  the  scope,  duration  and  intensity  test  differently. 

State  declarations  help  flesh  out  which  uses  of  force  are  of  sufficient  scope,  duration  and 
intensity  to  constitute  an  armed  attack.  Harkening  back  to  the  French  language  version  of  the 
U.N.  Charter,  which  refers  to  “armed  aggression”  rather  than  an  “armed  attack,”  the  U.N. 
General  Assembly  passed  the  Definition  of  Aggression  resolution  in  1974.^^^  The  resolution 
requires  an  attack  to  be  of  “sufficient  gravity”  before  it  is  considered  an  armed  attack.^^'^ 
While  the  resolution  never  defines  armed  attacks,  it  provides  examples  of  them  that  are 
widely  accepted  by  the  international  community  Unfortunately,  the  list  of  armed  attacks 


See  Wingfield,  supra  note  48,  at  60-68,  1 1 1-23  (noting  disagreements  between  the  International 
Committee  of  the  Red  Cross’s  interpretation  and  the  United  States’  interpretation,  and  reviewing  different 
methods  for  evaluating  the  scope,  duration  and  intensity  cyberattacks);  Brown,  supra  note  5 1 ,  at  1 87-89 
(discussing  instrument-based  evaluations  of  armed  attacks  versus  effects-based  evaluations  of  armed  attacks). 

See  Wingfield,  supra  note  48,  at  1 1 1  (2000)  (referencing  Definition  of  Aggression,  G.A.  Res.  33 14,  U.N. 
GAOR,  29th  Sess.,  U.N.  Doc.  AyllES/3314  (Dec.  14,  1974)). 

Definition  of  Aggression,  G.A.  Res.  3314,  Annex,  art.  2,  U.N.  GAOR,  29th  Sess.,  U.N.  Doc. 

A/RES/33 14/Annex  (Dec.  14,  1974)  (noting  that  the  uses  of  force  “shall  constitute  prima  facie  evidence  of  an 
act  of  aggression  although  the  Security  Council  may  . . .  conclude  that  a  determination  that  an  act  of  aggression 
has  been  committed  would  not  be  justified  in  the  light  of  other  relevant  circumstances,  including  the  fact  that 
the  acts  concerned  or  their  consequences  are  not  of  sufficient  gravity”). 

See  Wingfield,  supra  note  48,  at  1 1 1 .  Its  view  of  what  constitutes  an  armed  attack  encompasses: 

(a)  Invasion,  bombardment  and  cross-border  shooting.  These  examples  represent  the  classic  cases  of 
armed  attacks,  provided  “that  the  military  actions  are  on  a  certain  scale  and  have  a  major  effect,  and 
are  thus  not  to  be  considered  mere  frontier  incidents.” 

(b)  Blockade.  An  effective  blocking  of  a  state’s  ports  or  coasts  by  the  armed  forces  of  another  state  is 
an  armed  attack.  The  barring  of  passage  for  land-locked  states  to  the  open  sea  across  another  state’s 
territory  has  not  been  accepted  as  an  armed  attack. 

(c)  Attack  on  the  land,  sea  or  air  forces  or  on  the  civilian  marine  and  air  fleets.  An  armed  attack 
occurs  when  the  armed  forces  of  one  state  attack  the  land,  sea,  or  air  forces,  or  the  civilian  marine 
and  air  fleets,  of  another  state.  The  regular  forces  of  a  state,  wherever  they  are,  always  have  the 
right  to  defend  themselves  by  military  force. 

(d)  Breach  of  stationing  agreements.  An  armed  attack  may  occur  when  a  state  uses  its  armed  forces 
within  the  territory  of  another  state  in  contravention  of  the  conditions  provided  for  in  the  agreement, 
or  any  extension  of  their  presence  beyond  the  termination  of  the  agreement;  provided,  however,  that 


64 


from  the  resolution  is  not  comprehensive,  as  it  only  deals  with  conventional  attacks. 

While  the  resolution  has  helped  settle  the  meaning  of  armed  attacks  for  conventional  attacks, 
the  more  technology  has  advanced,  the  more  attacks  have  come  in  forms  not  previously 
covered  by  state  declarations  and  practices.^^^  Consequently,  states  recognize  that 
unconventional  uses  of  force  may  warrant  treatment  as  an  armed  attack  when  their  scope, 
duration  and  intensity  are  of  sufficient  gravity As  a  result,  states  are  continually  making 
proclamations  about  new  methods  of  warfare,  slowly  shaping  the  paradigm  for  classifying 
armed  attacks.^^^ 


the  breach  of  the  terms  of  the  agreement  has  the  effect  of  an  invasion  or  occupation. 

(e)  Placing  territory  at  another  state 's  disposal.  The  voluntary  action  of  a  state  in  allowing  another 
state  to  use  its  territory  for  committing  an  armed  attack  is  also  an  armed  attack. 

(f)  Participating  in  the  use  of  force  by  military  organized  unofficial  groups.  It  is  widely  accepted  that 
indirect  force  falls  under  the  definition  of  armed  attack.  The  sending  of  armed  bands  to  use  force  in 
another  state  makes  the  armed  bands  a  de  facto  state  agent,  thus  the  sending  state  has  engaged  in  an 
armed  attack.  Similarly,  ‘substantial  involvement’  in  the  activities  of  an  armed  band  may  also 
constitute  an  armed  attack. 

Id.  at  111-12  (quoting  THE  CHARTER  OF  THE  UNITED  NATIONS:  A  COMMENTARY  669-74  (Bruno  Simma  ed. 
1994)). 

See  id.  at  1 12-15  (noting  that  the  use  of  bacteriological,  biological  and  chemical  agents  against  another  state 
is  considered  an  armed  attack,  despite  not  being  listed  in  the  Definition  of  Aggression  resolution). 

See  Wingfield,  supra  note  48,  at  1 13-15;  Qiao  Liang  &  Wang  Wiangsui,  Unrestricted  Warfare  1-5 
(1999)  (speculating  that  technological  advancement  and  globalization  are  changing  warfare  so  that  future  wars 
will  be  carried  out  using  non-military  war  operations,  such  as  cyberattacks,  in  addition  to  conventional  military 
force). 

See  Wingfield,  supra  note  48,  at  100. 

For  instance,  the  United  States  has  made  several  declarations  regarding  cyberattacks,  each  of  which 
generally  infers  that  certain  cyberattacks  can  be  treated  as  armed  attacks,  provided  their  scope,  duration  and 
intensity  have  the  same  consequences  as  those  normally  associated  with  armed  attacks.  See  Jensen,  supra  note 
5,  at  226-28;  see  also  Department  of  Defense,  Office  of  General  Counsel,  An  Assessment  of  International  Legal 
Issues,  May  1999,  reprinted  in  WINGFIELD,  Ji/pra  note  48,  at  431  (treating  cyberattacks  as  armed  attacks  when 
their  consequences  mirror  those  of  an  armed  attack);  Exec.  Order  No.  13,010,61  Fed.  Reg.  37,347  (July  15, 
1996)  (vowing  to  protect  critical  infrastructure  against  cyberattacks  because  their  incapacitation  or  destruction 
could  have  a  dehabilitating  effect  on  U.S.  defense  and  economic  security);  Exec.  Order  13,321,  66  Fed.  Reg. 
53,063  (Oct.  16,  2001)  (vowing  to  respond  to  cyberattacks  against  critical  national  infrastructure  due  to  their 
potentially  devastating  effects  on  the  United  States). 


65 


Scholars  have  advanced  several  analytical  models  to  deal  with  unconventional  attacks, 
such  as  cyberattacks,  to  help  ease  attack  classification  and  put  the  scope,  duration  and 
intensity  analysis  into  more  concrete  terms.^'*®  These  models  are  especially  relevant  to 
cyberattacks  because  they  straddle  the  line  between  criminal  activity  and  armed  warfare.^'’* 
There  are  three  main  analytical  models  for  dealing  with  unconventional  attacks.^'^^  The  first 
model  is  an  instrument-based  approach,  which  checks  to  see  whether  the  damage  caused  by  a 
new  attack  method  could  only  have  been  previously  achieved  with  a  kinetic  attack.^"*^  The 
second  is  an  effects-based  approach,  sometimes  called  a  consequence-based  approach,  in 
which  the  attack’s  similarity  to  a  kinetic  attack  is  irrelevant  and  the  focus  shifts  to  the  overall 
effect  that  the  cyberattack  has  on  a  victim-state.^'*'*  This  is  the  approach  that  the  United 


Brown,  supra  note  5 1,  at  187-88. 

See  id.  at  1 87.  Cyberattacks  can  be  as  simple  as  defacing  a  website,  or  as  severe  as  crashing  another  state’s 
stock  markets  and  keeping  them  shut  down  for  some  time. 

See  Brown,  supra  note  51,  at  187  (discussing  the  instrument-based  and  effects-based  approaches);  Jensen, 
supra  note  5,  at  223-26  (discussing  the  strict  liability  and  consequence-based  approaches);  Horace  Robertson, 
Jr.,  Self-Defense  against  Computer  Network  Attack,  in  COMPUTER  NETWORK  ATTACK  AND  INTERNATIONAL 
Law  121,  134-38  (Michael  N.  Schmitt  &  Brian  T.  O’Donnell  eds.,  Naval  War  College  2002)  (discussing  the 
consequence-based  and  strict  liability  approaches);  Schmitt,  supra  note  55,  at  913-17  (discussing  the 
instrumented-based  and  consequence-based  approaches). 

See  Brown,  supra  note  5 1 ,  at  1 87-88;  Dinstein,  supra  note  24,  at  103-05.  For  instance,  under  an  instrument- 
based  approach,  a  cyberattack  used  to  shut  down  a  power  grid  is  an  armed  attack.  This  is  because  shutting 
down  a  power  grid  typically  required  dropping  a  bomb  on  a  power  station  or  some  other  kinetic  use  of  force  to 
incapacitate  the  grid.  Since  conventional  munitions  were  previously  required  to  achieve  the  result,  under  the 
instrument-based  approach  the  cyberattack  is  therefore  treated  the  same  way. 

See  Ian  Brownlie,  International  Law  and  the  Use  of  Force  by  States  362-63  (1963);  Wingfield, 
supra  note  48,  at  117-30;  Brown,  supra  note  51,  at  187-88;  Schmitt,  supra  note  3,  at  1071-72;  Schmitt,  supra 
note  55,  at  91 1-15.  For  instance,  under  an  effects-based  approach,  a  cyberattack  that  manipulated  information 
across  a  state’s  banking  and  financial  institutions  to  seriously  disrupt  commerce  in  the  state  is  an  armed  attack. 
While  the  manipulation  of  information  does  not  resemble  a  kinetic  attack,  as  required  under  an  instrument- 
based  approach,  the  disruptive  effects  that  the  attack  had  on  the  state’s  economy  is  a  severe  enough  overall 
consequence  that  it  warrants  treatment  as  an  armed  attack. 


66 


States  has  adopted.^'^^  The  third  is  a  strict  liability  approach,  in  which  cyberattacks  against 
CNI  are  automatically  treated  as  armed  attacks,  due  to  the  severe  consequences  that  can 
result  from  disabling  those  systems.^"*^ 

While  these  analytical  models  differ,  the  common  thread  between  them  is  that  the 
proponents  of  each  analytical  model  all  agree  that  cyberattacks  can  constitute  an  armed 
attack.^'*’  In  fact,  a  large  number  of  the  scenarios  covered  in  Part  III,  Section  B  fit  into  the 
meaning  of  armed  attack  under  all  three  models  of  analysis.^'**  Cyberattacks  short  of  armed 
attacks  would  still  be  considered  an  unlawful  use  of  force  in  violation  of  Article  2(4)  of  the 
U.N.  Charter,^'*^  and  would  have  to  be  met  with  measures  short  of  self-defense,  such  as  a 
reprisal.^^® 


See  Department  of  Defense,  Office  of  General  Counsel,  An  Assessment  of  International  Legal  Issues,  May 
1999,  reprinted  in  WINGFIELD,  supra  note  48,  at  43 1, 453-54. 

It  is  important  to  note  that  this  third  analytical  model  for  dealing  with  cyberattacks  is  intended  to  justify 
anticipatory  self-defense  before  any  harm  actually  results.  Walter  Gary  Sharp,  Sr.  proposed  this  model  due  to 
the  speed  with  which  a  computer  penetration  can  transition  into  a  destructive  attack  against  defense  CNI.  His 
reasoning  is  that  once  a  penetration  has  occurred,  an  imminent  threat  exists  with  the  ability  to  cause  harm  of 
extreme  scope,  duration  and  intensity,  thereby  justifying  anticipatory  self-defense.  See  SHARP,  Sk.,  supra  note 
24,  at  1 29-3 1 ;  see  also  Condron,  supra  note  24,  at  41 5-22  (discussing  the  need  to  treat  cyberattacks  on  CNI  as 
armed  attacks);  Jensen,  supra  note  5,  at  228-31  (advocating  changing  the  current  jus  ad  bellum  paradigm  to  use 
strict  liability  for  cyberattacks  against  CNI). 

See  Wingfield,  supra  note  48,  at  117-30;  Brown,  supra  note  51,  at  190;  Dinstein,  supra  note  24,  at  103-05; 
Schmitt,  supra  note  55,  at  91 1-15;  Robertson,  Jr.,  supra  note  342,  at  134-38;  Condron,  supra  note  24,  at  415- 
22;  Jensen,  supra  note  5,  at  228-3 1 ;  Kamal,  supra  note  22,  at  76-84. 

See  Wingfield,  supra  note  48,  at  1 17-30;  Brown,  supra  note  51,  at  187-88;  Dinstein,  supra  note  24,  at  103- 
05;  Schmitt,  supra  note  55,  at  91 1-15;  Robertson,  Jr.,  supra  note  342,  at  134-38;  Condron,  supra  note  24,  at 
4 1 5-22;  Jensen,  supra  note  5,  at  228-3 1 ;  Kamal,  supra  note  22,  at  76-84. 

See  Wingfield,  supra  note  48,  at  91-99  (discussing  cyberattacks  that  don’t  rise  to  the  level  of  an  armed 
attack).  Unfortunately,  trying  to  formulate  an  exact  line  to  delineate  armed  cyberattacks  from  lesser  uses  of 
force  is  nearly  impossible.  Thus,  this  section  shall  advance  several  analytical  models  to  help  classify  attacks, 
recognizing  that  it  will  be  up  to  victim-states  to  form  the  view  and  declare  whether  particular  cyberattacks 
against  them  are  armed  attacks,  and  to  be  ready  to  defend  their  conclusion  to  the  international  community. 

This  is  because  at  a  minimum,  cyberattacks  are  an  illegal  use  of  force.  As  a  result,  states  can  use  reprisals  to 
deter  attackers  from  attacking  them,  and  to  deter  sanctuary  states  from  ignoring  cyberattacks  by  attackers.  See 


61 


Of  these  three  approaches,  the  effects-based  approach  is  the  best  analytical  model  for 
dealing  with  cyberattacks.  Not  only  does  effects-based  analysis  account  for  everything  that 
instrument-based  approaches  cover,  but  it  also  provides  an  analytical  framework  for 
situations  that  do  not  neatly  equate  to  kinetic  attacks.  Effects-based  analysis  is  also 
superior  to  strict  liability  because  responses  to  cyberattacks  under  an  effects-based  approach 
comport  with  internationally  accepted  legal  norms  and  customs,  whereas  a  strict  liability 

‘>C‘5 

approach  may  cause  victim-states  to  violate  the  law  of  war. 

Of  all  of  the  scholars  who  advocate  effects-based  models,  Michael  N.  Schmitt  has 
advanced  the  most  useful  analytical  framework  for  evaluating  cyberattacks.  In  his  seminal 
article.  Computer  Network  Attack  and  the  Use  of  Force  in  International  Law:  Thoughts  on  a 
Normative  Framework,  Michael  Schmitt  lays  out  six  criteria  for  evaluating  cyberattacks  as 
armed  attacks.  These  criteria  are;  severity,  immediacy,  directness,  invasiveness. 


supra  Part  IV.E  (discussing  reprisals);  supra  Part  V.E  (discussing  sanctuary  states  that  allow  attackers  to  act 
Inside  their  borders);  infra  Parts  VI.C  (discussing  state  responsibility  for  failing  to  prevent  cyberattacks). 

For  instance,  a  cyberattack  might  shut  down  a  system,  rendering  it  inoperable  for  some  time,  or  a  cyberattack 
might  cause  an  explosion  at  a  chemical  plant  by  tampering  with  the  computers  that  controlled  the  feed  mixture 
rates.  The  results  of  those  attacks  mirror  the  results  of  conventional  armed  attacks,  previously  only  achievable 
through  kinetic  force,  thus  satisfying  the  instrument-based  approach. 

Unfortunately,  cyberattacks  can  cause  extreme  harm  without  mirroring  the  results  of  conventional  armed 
attacks.  For  instance,  coordinated  cyberattacks  could  bring  financial  markets  to  their  knees  without  ever 
employing  anything  that  looked  remotely  like  a  kinetic  attack;  altered  data  on  a  massive  scale  could  disrupt 
banking,  financial  transactions  and  the  general  underpinnings  of  the  economy,  sowing  confusion  throughout  the 
victim-state  for  some  time.  Under  an  effects-based  approach,  the  scope,  duration  and  intensity  of  this  attack 
would  equate  to  an  armed  attack,  despite  the  fact  that  it  wasn’t  previously  only  achievable  through  kinetic  force. 

The  proponents  of  a  strict  liability  approach  advocate  automatically  responding  to  cyberattacks  on  critical 
infrastructure  with  active  defenses.  See  Condron,  supra  note  24,  at  41 5-22;  Jensen,  supra  note  5,  at  228-3 1 . 
However,  automatically  responding  to  cyberattacks  in  this  manner  can  easily  lead  a  victim-state  to  counter¬ 
attack  a  state  with  a  long  history  of  doing  everything  within  its  power  to  prevent  cyberattacks  and  prosecute  its 
attackers.  Were  a  victim-state  to  respond  with  active  defenses  against  a  non-sanctuary  state,  it  would  violate  jus 
ad  helium.  This  is  because  there  is  no  way  to  impute  state  responsibility  to  such  a  state,  directly  or  indirectly, 
even  though  the  cyberattack  may  constitute  an  armed  attack.  See  supra  Part  V.C. 

Schmitt,  supra  note  55,  at  913-15. 


68 


measurability,^^*  and  presumptive  legitimacy.^*^  Taken  together,  these  criteria  allow  states  to 
measure  cyberattacks  along  several  different  axes.  While  no  one  criterion  is  dispositive, 
cyberattacks  satisfy  enough  of  the  criteria  should  indeed  be  characterized  as  armed  attacks.^^® 
Since  their  publication,  Schmitt’s  criteria  have  gained  traction  in  the  legal  community,  with 
several  prominent  legal  scholars  advocating  for  their  use.^^'  Many  hope  that  Schmitt’s 
criteria  will  help  bring  some  uniformity  to  state  efforts  to  classify  cyberattacks  by  providing 
common  criteria  to  evaluate  cyberattacks.  However,  until  Schmitt’s  criteria  gain  wider 
acceptance,  states  are  likely  to  classify  cyberattacks  differently,  depending  on  their 


Severity  looks  at  the  scope  and  intensity  of  an  attack.  Analysis  under  this  criterion  would  include  looking  at 
the  number  of  people  killed,  size  of  the  area  attacked,  and  amount  of  property  damage  done.  The  greater  the 
damage,  the  more  powerful  the  argument  becomes  for  treating  the  cyberattack  as  an  armed  attack.  See 
Wingfield,  supra  note  48,  at  124-27  (examining  Michael  Schmitt’s  use  of  force  analysis). 

Immediacy  looks  at  the  duration  of  a  cyberattack,  as  well  as  other  timing  factors.  Analysis  under  this 
criterion  looks  at  how  long  the  cyberattack  lasted,  how  soon  its  effects  were  felt,  and  how  long  it  took  for  the 
effects  to  abate.  The  longer  the  duration  and  effects,  the  more  it  looks  like  an  armed  attack.  See  id.  (examining 
Michael  Schmitt’s  use  of  force  analysis). 

Directness  looks  at  the  harm  caused.  If  the  attack  was  the  proximate  cause  of  the  harm,  it  strengthens  the 
argument  that  the  cyberattack  was  an  armed  attack.  If  the  harm  was  caused  in  full  or  in  part  by  other  parallel 
attacks,  the  weaker  the  argument  that  the  cyberattack  was  an  armed  attack.  See  id.  (examining  Michael 
Schmitt’s  use  of  force  analysis). 

Invasiveness  looks  at  the  locus  of  the  attack.  An  invasive  attack  is  one  that  physically  crosses  state  borders, 
or  electronically  crosses  borders  and  causes  harm  within  the  victim-state.  The  more  invasive  the  cyberattack, 
the  more  it  looks  like  an  armed  attack.  See  id.  (examining  Michael  Schmitt’s  use  of  force  analysis). 

Measurability  tries  to  quantify  the  damage  done  by  the  cyberattack.  Quantifiable  harm  is  generally  treated 
more  seriously  in  the  international  community.  The  more  a  state  can  quantify  the  harm  done  to  them,  the  more 
the  cyberattack  looks  like  an  armed  attack.  Speculative  harm  generally  makes  a  weak  case  that  the  cyberattack 
was  an  armed  attack.  See  id.  (examining  Michael  Schmitt’s  use  of  force  analysis). 

Presumptive  legitimacy  focuses  on  state  practice  and  the  accepted  norms  of  behavior  in  the  international 
community.  Actions  may  gain  legitimacy  under  the  law  when  the  international  community  accepts  certain 
behavior  as  legitimate.  The  less  a  cyberattack  looks  like  accepted  state  practice,  the  stronger  the  argument  that 
it  is  an  illegal  use  of  force  or  an  armed  attack.  See  id.  (examining  Michael  Schmitt’s  use  of  force  analysis). 

See  id.  at  122-29  (examining  Michael  Schmitt’s  use  of  force  analysis). 

See  Wingfield,  supra  note  322,  at  6-7;  WINGFIELD,  supra  note  48,  at  1 1 5-29  (2000);  Vida  Antolin-Jenkins, 
Defining  the  Parameters  of  Cyberwar  Operations:  Looking  for  Law  in  all  the  Wrong  Places?,  5 1  Naval  L. 
Rev.  132,  169-72  (2005);  Robertson,  Jr.,  supra  note  342,  at  134-38. 


69 


understanding  of  armed  attacks,  as  well  as  their  conception  of  vital  national  interest. 
Moreover,  universal  acceptance  of  Schmitt’s  criteria  is  still  probably  some  time  off,  as 
effects-based  analysis  is  not  free  from  criticism. 

For  example,  detractors  generally  critique  effects-based  analysis  as  useful  only  long  after 
a  cyberattack  occurs;  arguing  that  cyberattacks  force  states  to  make  rapid  decisions  with  little 
information,  and  that  performing  an  effects-based  analysis  forces  states  to  delay  their 
responses  to  the  point  that  the  state  suffers  preventable  harm.^^^  More  specifically,  some 
detractors  acknowledge  that  effects-based  analysis  may  be  useful,  but  advocate  treating  all 
cyberattacks  on  CNI  as  arrhed  attacks  on  the  grounds  that  it  is  too  dangerous  to  waste  time 
analyzing  the  attack  when  CNI  is  at  risk.^^'^  These  detractors  generally  advocate  a  strict 
liability  approach  to  cyberattacks  against  CNI,  and  further  advocate  responding  to  all 

“iCC 

cyberattacks  against  CNI  in  self-defense  as  the  only  effective  method  to  protect  CNI. 

While  the  proponents  of  strict  liability  have  correctly  identified  a  grave  threat  to  state 
security,  their  model  sells  effects-based  analysis  short  and  runs  the  risk  of  unlawfully 
escalating  a  situation.  In  no  way  does  effects-based  analysis  require  a  state  to  delay  its 
response  until  it  can  fully  measure  a  cyberattack  against  all  six  of  Schmitt’s  proposed  axes. 
Decision-makers,  at  times,  must  make  choices  with  imperfect  information.  “As  a  legal 
matter,  however,  the  principle  of  anticipatory-self-defense  does  not,  and  has  never,  required 


See  Wingfield,  supra  note  322,  at  8. 

See  Barkham,  supra  note  29,  at  83-84. 

See  Condron,  supra  note  24,  at  41 5-22  (advocating  strict  liability  for  cyberattacks  on  CNI);  Jensen,  supra 
note  5,  at  228-31  (advocating  strict  liability  for  cyberattacks  on  CNI). 

See  Condron,  supra  note  24,  at  4 1 5-22;  Jensen,  supra  note  5,  at  228-3 1 . 


70 


that  the  threat  have  been  genuine — only  that  it  be  perceived  to  be  so  in  good  faith.”^^^  The 
imminent  danger  that  some  cyberattacks  pose  will  force  decision-makers  to  attempt  a  good 
faith  assessment  based  on  the  facts  at  hand.  Other  cyberattacks  will  not  be  as  urgent, 
allowing  decision-makers  to  take  time  to  analyze  the  attacks  more  fully.  In  all  cases,  an 
effects-based  approach  provides  a  better  analytical  tool  by  which  to  analyze  an  attack. 
Furthermore,  when  a  threat  is  considered  urgent,  such  as  an  attack  against  CNI,  the  potential 
severity  and  imminence  of  the  attack  may  be  great  enough  to  outweigh  all  other 
considerations.  Furthermore,  even  if  cyberattacks  against  CNI  generally  constitute  armed 
attacks,  automatically  responding  to  them  in  self-defense  may  result  in  the  use  of  force 
against  an  irmocent  state,  i.e.,  one  that  does  not  meet  the  threshold  for  imputing  state 
responsibility. 

Classifying  cyberattacks  will  be  difficult  for  states  to  do  in  practice.  While  the  initial 
decision  to  respond  to  cyberattacks  under  the  law  of  war  as  a  matter  of  policy  will  have  to  be 


David  Rivkin,  Jr.  et  al.,  War,  International  Law,  and  Sovereignty:  Reevaluating  the  Rules  of  the  Game  in  a 
New  Century:  Preemption  and  Law  in  the  Twenty-First  Century,  5  CHI.  J.  INT'L  L.  467,  496  (2005);  see  also 
Eric  Jensen,  Unexpected  Consequences  from  Knock-On  Effects:  A  Different  Standard  for  Computer  Network 
Operations?,  18  AM.  U.  INT’L  L.  REV.  1 145, 1 181-82  (2003)  (discussing  United  States  v.  Wilhelm  List,  XI 
Trials  of  War  Criminals  Before  the  Nuremburg  Military  Tribunals  Under  Control  Council  Law  No.  10,  1295-96 
(1950)).  The  legal  standard  forjudging  a  military  commander’s  decision  is  whether  what  the  commander 
believed  to  be  true  at  the  time  (not  the  actual  facts)  met  the  appropriate  legal  standards.  This  is  known  as  the 
Rendulic  Rule,  and  has  been  the  international  standard  since  the  Nuremburg  trial  of  General  Rendullc.  Id. 

State  responsibility  for  cyberattacks  may  be  established  when  states  violate  their  duty  to  prevent 
cyberattacks.  See  infra  Part  VI.B-C. 

While  classifying  cyberattacks  will  be  difficult,  there  is  no  doubt  that  some  cyberattacks  will  qualify  as 
armed  attacks,  and  should  be  dealt  with  using  self-defense  and  anticipatory  self-defense  legal  principles  as  a 
justification  for  using  active  defenses. 

Some  scholars  will  undoubtedly  critique  this  paper’s  conclusion  that  cyberattacks  can  qualify  as  armed  attacks. 
However,  scholars  who  argue  that  cyberattacks  cannot  rise  to  the  level  of  armed  attacks  miss  the  way  the  law 
has  responded  to  unconventional  attacks  in  the  past.  New  attack  methods  fi’equently  fall  outside  the  accepted 
definitions  of  armed  attacks.  This  does  not  mean  that  the  attacks  are  not  armed  attacks,  merely  that  the  attacks 
don’t  fit  traditional  classifications.  There  are  several  analytical  models  for  classifying  new  attack  forms,  all  of 
which  are  based  on  the  accepted  core  legal  principles  that  were  used  to  classify  conventional  attacks.  Of  these. 


71 


made  by  state  decision-makers,  the  actual  decision  to  use  active  defenses  will  have  to  be 
pushed  down  to  the  system  administrators  who  actually  operate  computer  networks.  One  of 
the  challenges  states  will  face  is  translating  international  law  into  concise,  understandable 
rules  for  their  system  administrators  to  follow,  so  that  a  state’s  agents  comply  with 
international  law  while  protecting  its  vital  computer  networks.  However,  classifying 
cyberattacks  as  armed  attacks  or  imminent  armed  attacks  is  only  the  first  hurdle  system 
administrators  must  clear  before  responding  with  active  defenses.  The  second  and  equally 
important  hurdle  is  establishing  state  responsibility  for  the  attack. 


B.  Modernizing  the  Approach  to  State  Responsibility  for  Cyberattacks 


States  cannot  respond  to  a  cross-border  cyberattack  with  force  without  establishing  state 
responsibility  for  the  attack.^^^  Historically,  this  meant  attributing  an  attack  to  a  state  or  its 
agents  on  the  premise  that  a  state  is  only  responsible  for  its  acts  or  the  acts  of  those  under  its 


the  effects-based  approach  proposed  by  Michael  N.  Schmitt  has  the  greatest  analytical  power  and  makes  the 
most  sense  to  use.  See  supra  Part  VI.A  (discussing  the  attack  classification  of  new  attack  forms).  Furthermore, 
scholars  who  advocate  that  cyberattacks  cannot  rise  to  the  level  of  armed  attacks  miss  an  important  facet  of 
international  law — ^reprisals,  which  can  be  used  as  an  alternate  basis  to  authorize  active  defenses  against 
cyberattacks  should  the  international  community  reject  this  paper’s  conclusion  and  classify  cyberattacks  as 
lesser  uses  of  force.  This  is  because  at  a  minimum,  cyberattacks  are  an  illegal  use  of  force.  As  a  result,  states 
can  use  reprisals  to  deter  attackers  from  committing  such  acts  in  the  future,  and  to  deter  sanctuary  states  from 
allowing  attackers  to  commit  them.  See  supra  Part  IV.E  (discussing  reprisals);  infra  Part  VI.B-C  (discussing 
state  responsibility  for  failing  to  prevent  cyberattacks). 

As  an  important  sidebar,  reprisals  may  theoretically  Justify  using  active  defenses  to  protect  non-vital  computer 
systems.  Since  attacks  on  non-vital  computer  systems  amount  to  an  illegal  uses  of  force,  reprisals  may  provide 
a  Justification  for  defending  those  systems  with  active  defenses  (assuming  the  active  defenses  targeted  non-vital 
systems  in  return).  In  effect,  active  defenses  may  provide  a  way  to  deter  cyberattacks  in  general.  On  these 
grounds,  private  corporations  or  individuals  could  theoretically  attempt  to  Justify  defending  their  systems  with 
active  defenses  based  on  the  general  principles  of  self-defense  recognized  by  most  nations.  However,  as  this 
would  most  likely  result  in  non-state  actors  using  active  defenses  across  state  borders,  it  would  raise  a  host  of 
other  questions  under  international  law.  The  ideas  covered  in  this  sidebar  are  beyond  the  scope  of  this  paper, 
but  are  worthy  of  consideration. 

See  supra  Part  V.D. 


72 


direct  control.^’®  However,  as  non-state  actors  have  attacked  states  with  increased  frequency, 
international  law  has  shifted  away  from  this  traditional  requirement  to  a  model  of  indirect 

•  ••  •  *371 

state  responsibility  based  on  a  state’s  failure  to  meet  its  international  duties. 

This  shift  is  especially  important  for  cyberattacks  because  the  prevailing  view  that  states 
must  treat  cross-border  cyberattacks  as  a  criminal  matter,  rather  than  as  a  national  security 
matter,  seems  to  be  based  on  the  historic  view  of  state  responsibility.  This  limited  view  of 
state  responsibility  locks  states  into  the  response  crisis  by  requiring  states  to  attribute 
cyberattacks  to  a  state  or  its  agents,  even  though  the  likelihood  of  successfully  achieving 

^7^  •  •  • 

such  attribution  is  extremely  remote.  Consequently,  states  that  subscribe  to  the  traditional 
model  of  state  responsibility  will  find  themselves  in  the  response  crisis  during  a  cyberattack, 
laboring  under  the  false  assumption  that  they  must  decide  between  effective,  but  illegal, 
active  defenses,  and  the  less  effective,  but  legal,  path  of  passive  defenses  and  host-state 
criminal  laws.^^'* 

Given  the  shift  in  the  law  of  state  responsibility,  states  should  determine  whether  a 
cyberattack  ctin  be  imputed  to  the  state  of  origin,  rather  than  trying  to  conclusively  attribute 


See  supra  Part  V.C. 

See  id 

See  supra  Part  III.B;  supra  Part  V,  introduction. 

A  cyberattack  could  be  directly  linked  to  a  state  under  a  few  circumstances.  Potential  direct  links  might 
include  a  state  declaration  that  it  had  made  the  attack;  pre-attack  intelligence  suggesting  that  a  state  was  about  to 
make  an  attack;  or  tracing  an  ongoing  attack  to  computer  systems  known  to  belong  to  a  foreign  military. 

Further  complicating  the  attribution  problem  is  that  cyberterrorists  and  cybercriminals  often  hijack  innocent 
systems  and  use  them  as  zombies  to  initiate  their  cyberattacks.  See  supra  Part  III.A.  While  victim-states  must 
try  to  penetrate  such  guises,  current  technology  may  not  always  allow  them  to  do  so  in  a  timely  manner.  See 
Brown,  supra  note  5 1 ,  at  20 1 .  In  effect,  attackers  complicate  the  decision-making  process  of  victim-states,  who 
must  account  for  these  electronic  disguises  when  trying  to  attribute  the  true  identity  of  an  attacker. 

See  supra  Part  III.B;  supra  Part  V,  introduction. 


73 


it.  This  is  because  once  a  cyberattack  is  imputed  to  a  state,  the  legal  barriers  to  acting  in  self- 
defense  disappear.^’^  States  that  continue  to  follow  the  prevailing  view  of  state  responsibility 
will  unduly  limit  their  right  to  use  active  defenses,  and  increase  the  chances  of  a  successful 
cyberattack  against  them.^^^  Considering  the  catastrophic  consequences  that  a  cyberattack 
can  have,  states  should  not  follow  the  prevailing  view  when  the  law  does  not  require  them  to 
do  so. 

While  neither  state  practice  nor  the  publications  of  legal  scholars  support  this  view 
regarding  cyberattacks  yet,^^^  the  accepted  principles  of  customary  jus  ad  bellum  support 


See  supra  Part  V.C-D. 

See  Condron,  supra  note  24,  at  4 1 5-22;  Jensen,  supra  note  5,  at  228-3 1 . 

Legal  scholars  generally  agree  that  states  may  not  respond  in  self-defense  until  after  an  attack  is  attributed. 
See  Condron,  supra  note  24,  at  415;  Dinstein,  supra  note  24,  at  1 1 1;  Garnett  &  Clarke,  supra  note  13,  at  478- 
79.  As  a  result,  state  practice  is  currently  to  respond  to  cyberattacks  with  passive  defenses  and  criminal  laws. 
See  supra  Part  II.B. 

However,  there  is  a  growing  recognition  among  legal  scholars  that  the  current  paradigm  governing  state 
responses  to  cyberattacks  is  inadequate  to  protect  states  and  it  must  change.  See  supra  note  52.  The  scholars 
who  argue  against  the  current  paradigm  have  tried  to  solve  the  response  crisis  by  finding  creative  ways  around 
the  attribution  problem.  The  three  main  proposals  advanced  by  scholars  before  this  paper  are  discussed  below. 

One  group  of  scholars  advocates  a  strict  liability  approach  to  attacks  against  CNI.  Eric  Jensen  first  argued  for 
this  approach,  on  the  basis  that  attacks  against  CNI  automatically  demonstrates  hostile  intent.  Jensen’s  proposal 
argues  that  states  should  publish  a  list  of  systems  that  they  deem  to  be  CNI,  which  they  would  respond  to  in 
anticipatory  self-defense  in  the  case  of  a  cyberattack.  He  argues  that  publishing  a  list  of  CNI  puts  attackers  on 
notice,  which  can  then  be  used  as  a  tool  to  determine  the  intent  of  an  attacker.  “It  should  be  made  clear  that 
once  an  intruder  has  shown  the  intent  and  capability  to  pierce  the  passive  defense  measures  of  [CNI],  he  has 
demonstrated  sufficient  hostile  intent  to  warrant  an  action  in  self-defense,  even  though  he  may  not  yet  have 
consummated  his  attack.”  See  Jensen,  supra  note  5,  at  236-37.  Sean  Condron  supports  this  approach,  arguing 
that  international  law  should  grant  states  an  exception  to  use  active  defenses  to  protect  CNI,  due  to  the  grave 
harm  that  cyberattacks  against  CNI  can  cause.  See  Condron,  supra  note  24,  at  41 5-22. 

Another  group  of  legal  scholars  advocate  that  self-defense  is  always  a  legal  response  to  armed  attacks.  Their 
rationale  is  that  the  U.N.  Charter  does  not  subsume  a  state’s  inherent  right  of  self-defense  under  CIL,  which 
includes  a  right  to  respond  to  armed  attacks  by  non-state  actors.  Thus,  states  can  always  respond  to 
cyberattacks  that  amount  to  an  armed  attack  because  the  attack  was  either  conducted  by  a  state,  which  allows 
them  to  respond  under  Article  51  of  the  U.N.  Charter,  or  was  conducted  by  a  non-state  actor,  which  allows  them 
to  respond  under  CIL.  See  Barkham,  supra  note  29,  at  104;  Schmitt,  supra  note  55,  at  933-34. 

Finally,  two  legal  scholars  correctly  home  in  on  state  responsibility  as  the  solution  to  the  attribution  problem. 
However,  instead  of  tying  state  responsibility  to  a  state’s  failure  to  meet  its  duty  to  prevent  cyberattacks,  they 


74 


indirectly  imputing  state  responsibility  for  armed  attacks  by  non-state  actors  when  the  attacks 
originate  from  a  state  that  allows  non-state  actors  to  conduct  criminal  operations  within  their 
borders.^^*  States  that  allow  non-state  actors  to  conduct  those  operations  breach  their  duty  to 
prevent  attacks  against  other  states,  and  are  known  as  sanctuary  states.  This  is  extremely 


contend  that  when  cyberattacks  are  repeatedly  launched  from  one  state  against  other  states,  the  state  of  origin 
should  be  presumed  to  have  knowledge  of  and  involvement  in  the  attacks.  Following  this  logic,  these  scholars 
argue  that  victim-states  can  hold  host-states  responsible  for  cyberattacks  based  on  their  assumed  control  of  the 
non-state  actors.  Garnett  &  Clarke,  supra  note  13,  at  479. 

While  the  three  approaches  suggested  above  have  less  of  a  basis  in  international  law  than  the  approach 
suggested  by  this  paper,  these  scholars’  ideas  on  getting  around  the  attribution  problem  are  not  without  merit. 
Right  now,  states  are  stuck  in  the  uncomfortable  position  of  relying  on  passive  defenses  and  host-state  criminal 
laws.  Naturally,  states  will  want  to  defend  their  systems  with  active  defenses,  especially  their  critical  systems. 
While  something  more  needs  to  be  done,  automatically  responding  to  cyberattacks  against  critical  systems  with 
active  defenses  may  inadvertently  counter-attack  states  that  meet  their  duty  to  prevent  cyberattacks.  See  supra 
Part  II.A  (discussing  the  response  crisis);  supra  Part  V,  introduction  (discussing  the  response  crisis). 

During  a  cyberattack,  system  administrators  can  frequently  trace  the  electronic  pathways  that  cyberattacks 
follow  back  to  their  source.  See  generally  Wheeler  &  Larsen,  supra  note  158  (for  a  technical  discussion  on 
tracing  cyberattacks  back  to  their  point  of  origin).  When  an  attack  is  traced  to  a  state  that  turns  a  blind  eye  to 
cyberattacks,  such  as  China  or  Russia,  responding  with  active  defenses  seems  like  a  wise  and  legal  option.  This 
is  because  these  states  have  demonstrated  an  unwillingness  to  prevent  cyberattacks  or  cooperate  with  victim- 
states.  However,  when  an  attack  is  traced  back  to  a  state  that  takes  affirmative  steps  to  deter  cyberattacks  and 
always  works  its  hardest  to  investigate  and  prosecute  attackers,  such  as  the  United  Kingdom,  automatically 
responding  with  force  does  not  seem  wise  or  legal,  as  the  host-state  is  following  its  international  duty. 

Scholars  who  advocate  responding  to  armed  cyberattacks  regardless  of  an  attacker’s  identity  would,  no  doubt, 
critique  this  paper’s  approach  as  not  going  far  enough  to  protect  CNl,  since  it  only  protects  CNI  against  attacks 
originating  from  sanctuary  states;  thus,  leaving  CNI  vulnerable  to  attacks  that  originate  elsewhere.  As 
discussed  earlier,  these  scholars  raise  a  valid  concern  about  the  safety  of  state  CNI.  However,  their  argument 
misses  a  critical  part  of  the  legal  analysis.  Namely,  just  because  a  state’s  CNI  is  under  attack  by  non-state 
actors  does  not  give  the  victim-state  legal  authority  to  violate  the  territorial  integrity  of  a  host-state  and  respond 
with  force.  Such  a  right  only  arises  when  state  responsibility  has  been  established.  Were  a  state  to  follow  the 
path  advocated  by  these  scholars,  the  fears  of  the  scholars  who  don’t  believe  in  active  defenses  would  be 
realized.  Automating  active  defenses  will  result  in  counter-attacks  against  every  attacking  computer  across  the 
world,  regardless  of  their  state  of  origin.  While  targeting  the  systems  of  states  that  choose  not  to  take  part  in  the 
international  community’s  efforts  to  eradicate  cyberattacks  is  an  acceptable  and  lawful  option,  it  is  unacceptable 
and  unlawful  to  target  states  that  fully  participate  in  international  efforts  to  secure  cyberspace. 

See  supra  Part  V.C  (reviewing  the  principles  of  state  responsibility). 

See  supra  Part  V.B  (reviewing  the  duty  to  prevent  non-state  actors  from  using  a  state’s  territory  to  commit 
criminal  acts  against  another  state);  supra  Part  V.D  (reviewing  sanctuary  states  and  the  legality  of  holding  them 
responsible  for  the  actions  of  those  non-state  actors). 


75 


important  to  the  victim-states  of  cyberattacks  because  when  a  cyberattack  originates  from  a 
sanctuary  state,  a  victim-state  may  employ  active  defenses  and  avert  the  response  crisis. 

It  is  thus  necessary  to  understand  the  answers  to  two  key  questions:  (1)  what  is  a  state’s 
duty  to  prevent  cyberattacks;  and  (2)  what  must  a  state  do  to  violate  its  duty  of  prevention? 
The  answers  to  these  questions  are  the  legal  keys  that  will  establish  the  basis  for  imputing 
state  responsibility  for  cyberattacks,  and  xmlock  the  restraints  that  states  have  placed  on 
themselves  by  unnecessarily  following  the  prevailing  view  of  state  responsibility. 

C.  The  Duty  to  Prevent  Cyberattacks 

States  have  an  affirmative  duty  to  prevent  cyberattacks  from  their  territory  against  other 
states.  This  duty  actually  encompasses  several  smaller  duties,  which  together  constitute  a 
state’s  duty  of  prevention.  These  duties  include:  passing  stringent  criminal  laws  against 
international  cyberattacks,  conducting  vigorous  investigations  into  international  cyberattacks, 
prosecuting  attackers  who  have  conducted  international  cyberattacks,  and  cooperating  with 
the  victim-states  of  cyberattacks  that  originated  from  within  their  borders  during  the 
investigation  and  prosecution.  These  duties  are  the  duties  of  all  states,  and,  as  will  be  shown 
in  this  section,  are  binding  as  CIL.  The  authority  for  these  duties  comes  from  all  three 


Customary  international  law  is  one  of  the  principal  sources  of  international  law.  RESTATEMENT,  supra  note 
283,  §  102.  When  a  legal  principle  becomes  recognized  as  customary  international  law,  it  becomes  a  binding 
legal  obligation  on  all  states.  Id.  Customary  international  law  is  formed  through  state  practice  and  opinio  juris 
sive  necessitates  (a  sense  of  legal  obligation  on  the  part  of  states  to  engage  in  a  practice).  Id.  International 
agreements,  state  practice,  state  declarations  and  United  Nations  General  Assembly  resolutions  all  count  as 
forms  of  state  practice.  Id.  §  102-03.  Furthermore,  judicial  opinions  and  the  writings  of  international  scholars 
may  both  be  used  as  evidence  of  state  practice  and  opinio  Juris.  Id.  §  103. 

The  other  principal  source  of  international  law  is  international  agreements.  Id.  §  102.  The  third  and  somewhat 
ancillary  source  of  international  law  is  the  general  principles  of  law  common  to  the  major  legal  systems  of  the 


76 


sources  of  CIL — international  conventions,  international  custom,  and  the  general  principles 
of  law  common  to  civilized  nations,  as  also  evidenced  by  judicial  decisions  and  the  teachings 
of  the  most  highly  qualified  international  legal  scholars. 


1.  Support  from  International  Conventions 


The  only  international  treaty  directly  on  point  is  the  European  Convention  on  Cybercrime. 
While  the  treaty  is  only  a  regional  agreement,  it  is  still  very  influential  on  CIL  because  of  the 

»  R 1 

importance  of  the  states  that  have  ratified  it  under  the  specially  affected  states  doctrine. 


world;  however,  this  is  infrequently  used  as  a  source  of  international  law.  An  example  of  a  general  legal 
principle  is  the  prohibition  on  torture  in  most  domestic  legal  systems.  Id. 

These  definitions  roughly  mirror  the  sources  of  international  law  found  in  the  Statute  of  the  ICJ.  The  Statute  of 
the  ICJ  lists  four  sources  of  international  law,  the  first  three  of  which  mirror  these  sources  of  international  law, 
and  then  uses  judicial  opinions  and  the  publications  of  scholars  as  a  subsidiary  means  for  determining  the  law. 
Furthermore,  the  statute’s  description  of  international  custom  roughly  mirrors  the  Restatement’s  description  of 
CIL,  See  Statute  of  the  International  Court  of  Justice,  art.  38(1),  June  26,  1945,  59.  Stat.  1055,  1060(1945). 

Customary  international  law  does  not  require  state  practice  to  be  universal.  General  practices  can  satisfy  the 
requirements  of  customary  international  law.  The  test  for  when  state  practices  become  customary  international 
law  is  when  the  practice  is  extensive  and  representative.  “That  is  to  say,  it  is  not  simply  a  question  of  how 
many  States  participate  in  the  practice,  but  also  which  States.”  Jean-Marie  Henckaerts,  Customary 
International  Humanitarian  Law  Study:  A  Contribution  to  the  Understanding  and  Respect  for  the  Rule  of  Law 
in  Armed  Conflict,  in  THE  LAW  OF  WAR  IN  THE  2 1  ST  CENTURY:  WEAPONRY  AND  THE  USE  OF  FORCE  37,  42 
(Anthony  M.  Helm  ed.,  Naval  War  College  2006).  This  is  where  the  specially  affected  state  doctrine  comes 
into  play.  When  states  whose  Interests  are  specially  affected  by  a  practice  all  follow  the  practice,  the  practice 
becomes  CIL  even  if  the  majority  of  states  do  not  participate,  as  long  as  the  majority  acquiesces  to  the  practice. 
Likewise,  even  if  the  majority  of  states  declare  something  to  be  CIL,  if  the  specially  affected  states  do  not 
accept  the  practice,  it  cannot  become  CIL.  Id.  at  42-43.  In  other  words,  states  whose  interests  are  especially 
affected  by  a  particular  state  practice  are  specially  affected  states,  and  their  practices  carry  more  weight  in 
contributing  to  CIL  about  that  practice.  Yoram  Dinstein,  The  ICRC  Customary  International  Law  Study,  in  THE 
Law  of  War  in  the  2 1  st  Century:  Weaponry  and  the  Use  of  Force  99, 1 09  (Anthony  M.  Helm  ed.,  Naval 
War  College  2006).  The  specially  affected  states  doctrine  was  developed  by  the  ICJ  in  North  Sea  Continental 
Shelf  North  Sea  Continental  Shelf  (F.R.G.  v.  Den.;  F.R.G.  v.  Neth.),  1969  I.C.J  3,  43  (Feb.  20). 

To  date,  twenty-two  states  have  ratified  the  Convention  on  Cybercrime,  the  majority  of  which  are  major  western 
powers,  six  of  which  place  among  the  twelve  states  with  the  most  Internet  users  in  the  world — France, 

Germany,  Italy,  the  Netherlands,  the  United  Kingdom  and  the  United  States.  Together,  these  six  states  have 
more  Internet  users  than  all  of  the  remaining  states  that  make  up  the  top  twenty  states  with  the  most  Internet 
users  in  the  world.  Furthermore,  three  of  these  states  are  permanent  members  of  the  U.N.  Security  Council — 
France,  the  United  Kingdom  and  the  United  States.  The  United  States  is  the  only  non-European  state  to  ratify 
the  treaty.  Furthermore,  while  not  yet  parties  to  the  treaty,  Canada,  Japan,  Spain,  Poland  and  Sweden  are  all 


77 


Furthermore,  it  demonstrates  state  recognition  of  both  the  need  to  criminalize  cyberattacks, 
and  the  duty  of  states  to  prevent  their  territory  from  being  used  by  non-state  actors  to  conduct 
cyberattacks  against  other  states.  The  Convention  is  also  significant  because  it  recognizes 
that  cyberattacks  cannot  be  interdicted  during  the  middle  of  an  attack,  and  that  the  only  way 
to  prevent  them  is  through  aggressive  law  enforcement,  coupled  with  state  cooperation. 

International  treaties  to  criminalize  terrorism  provide  further  support,  albeit  indirectly,  for 
the  duty  to  prevent  cyberattacks.  The  international  community  recognizes  terrorism  as  a 
threat  to  international  peace  and  security,  but  cannot  agree  on  a  definition  of  it.^*'*  As  a 
result,  states  have  adopted  the  approach  of  outlawing  specific  terrorist  acts  each  time 
terrorists  adopt  new  attack  methods,  rather  than  outlawing  terrorism  itself  These  treaties 


signatories  to  it,  and  are  expected  to  ratify  it  soon.  These  five  states  are  all  among  the  remaining  twenty  states 
with  the  most  Internet  users  in  the  world,  and  their  ratification  of  the  treaty  would  greatly  move  state  practice  to 
the  standards  set  forth  in  the  convention.  See  Council  of  Europe,  Convention  on  Cybercrime,  Chart  of 
Signatures  and  Ratifications,  http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM= 
8&DF=18/06/04&CL=ENG  (listing  the  twenty-four  signatories  and  twenty-two  parties  to  the  Convention  on 
Cybercrime)  (last  visited  Mar.  19,  2009);  COLARIK,  supra  note  6,  at  1 5 1  (listing  the  top  twenty  states  with  the 
most  Internet  subscribers  in  2005). 

The  Convention  on  Cybercrime  requires  the  parties  to  it  to  establish  criminal  offenses  for  almost  every 
conceivable  type  of  cyberattack  under  their  domestic  laws.  See  Convention  on  Cybercrime,  supra  note  22,  art. 
2-1 1 ,  at  284-87.  It  also  recognizes  the  importance  of  prosecuting  attackers,  which  is  demonstrated  by  its 
requirement  for  states  to  extend  their  jurisdiction  over  any  cyberattacks  conducted  from  within  their  territory,  or 
conducted  by  their  citizens  regardless  of  their  location  at  the  time  of  attack.  See  id.,  art.  22,  at  291-92.  Finally, 
the  convention  recognizes  the  importance  of  state  cooperation  to  hunt  down  attackers  and  bring  them  to  Justice; 
requiring  states  to  cooperate  with  each  other  and  provide  “mutual  assistance  to  the  widest  extent  possible  for  the 
purpose  of  investigations  or  proceedings  concerning  criminal  offences.”  See  id.,  art.  23-25,  at  292-93. 

See  Kamal,  supra  note  22,  at  7 1 . 

Pierre- Marie  Dupuy,  State  Sponsors  of  Terrorism:  International  Responsibility,  in  ENFORCING 
INTERNATIONAL  LAW  NORMS  AGAINST  TERRORISM  3, 4-6  (Andrea  Bianchi  ed.,  2004).  “One  of  the  reasons 
why  it  has  been  difficult  to  secure  a  universally  accepted  definition  of  terrorism  has  been  that  some  States, 
primarily  from  the  developing  world,  have  sought  to  resist  condemnation  of  practices  and  activities  which  they 
may  have  resorted  to  in  their  acquiring  of  independence,  particularly  during  decolonization.”  Gannett  &  Clarke, 
supra  note  13,  at  466. 

Dupuy,  supra  note  384,  at  4-6;  Gannett  &  Clarke,  supra  note  13,  at  466.  These  treaties  include  the  1963 
Tokyo  Convention  on  Offences  and  Certain  Other  Acts  Committed  on  Board  Aircraft,  the  1970  Hague 
Convention  for  the  Suppression  of  Unlawful  Seizure  of  Aircraft,  the  1971  Montreal  Convention  for  the 


78 


impose  several  common  requirements  on  states  with  regard  to  terrorist  attack  methods,  such 
as:  taking  all  practicable  measures  for  the  purpose  of  preventing  these  attacks,  criminalizing 
the  attacks,  submitting  cases  to  competent  authorities  for  prosecution,  and  forcing  states  to 
cooperate  with  each  other  throughout  the  criminal  proceedings.^*®  While  these  treaties  do  not 
address  cyberattacks,  the  principles  contained  in  them  help  influence  state  requirements 
under  CIL  with  regard  to  terrorism.  Since  there  is  growing  evidence  that  cyberattacks  will 
soon  be  a  weapon  of  choice  for  terrorists,^*^  states  should  refer  to  the  common  principles 
found  in  these  treaties  as  opinio  Juris  when  cyberattacks  are  used  as  a  terrorist  weapon. 


2.  Support  from  State  Practice 


State  treatment  of  cyberattacks  under  their  criminal  laws  also  evidence  recognition  of  the 
duty  to  prevent  cyberattacks  under  CIL.  Numerous  states  criminalize  and  prosecute 
cyberattacks  as  a  way  to  deter  attackers  from  conducting  them,  on  the  basis  that  vigorous  law 


Suppression  of  Unlawful  Acts  Against  the  Safety  of  Civil  Aviation,  the  1979  International  Convention  Against 
the  Taking  of  Hostages,  the  1 988  Convention  for  the  Suppression  of  Unlawful  Acts  Against  the  Safety  of 
Maritime  Navigation,  the  1988  Montreal  Protocol  on  the  Suppression  of  Unlawful  Acts  of  Violence  at  Airports 
Serving  International  Civil  Aviation,  the  1997  International  Convention  for  the  Suppression  of  Terrorist 
Bombings,  the  1999  International  Convention  for  the  Suppression  of  the  Financing  of  Terrorism,  and  the  2005 
International  Convention  for  the  Suppression  of  Acts  of  Nuclear  Terrorism.  See  Dupuy,  supra  note  384,  at  4-6 
(using  several  of  these  treaties  as  examples  of  treaties  that  outlawed  particular  terrorist  attack  methods);  Gannett 
&  Clarke,  supra  note  13,  at  466  (using  several  of  these  treaties  as  examples  of  treaties  that  outlawed  particular 
terrorist  attack  methods). 

See  generally  Hague  Convention  for  the  Suppression  of  Unlawful  Seizure  of  Aircraft,  done  Dec.  16,  1970, 

22  U.S.T.  1641,  T.I.A.S.  No.  7192;  Montreal  Convention  for  the  Suppression  of  Unlawful  Acts  Against  the 
Safety  of  Civil  Aviation,  done  Sept.  23, 1971, 24  U.S.T.  564,  T.I.A.S.  No.  7570;  International  Convention 
Against  the  Taking  opened  for  signature  T>ec.  18,  1979,  18  I.L.M.  1456;  Convention  for  the 

Suppression  of  Unlawful  Acts  Against  the  Safety  of  Maritime  Navigation,  done  Mar.  10,  1988,  1678  U.N.T.S. 
221,  27  l.L.M.  668;  International  Convention  for  the  Suppression  of  Terrorist  Bombings,  opened for  signature 
Jan.  12, 1 998, 37  l.L.M.  249;  International  Convention  for  the  Suppression  of  the  Financing  of  Terrorism, 
opened  for  signature  Jan.  10, 2000,  39  l.L.M.  270;  International  Convention  for  the  Suppression  of  Acts  of 
Nuclear  Terrorism,  opened for  signature  Sept.  1 4, 2005, 44  l.L.M.  815. 

Garnett  &  Clarke,  supra  note  13,  at  467;  ROLLINS  &  WILSON,  si/pra  note  15,  at  CRS-1. 


79 


•^oo  , 

enforcement  is  the  only  way  to  protect  and  prevent  harm  to  their  computer  systems.  This 
lends  credence  to  the  notion  that,  unlike  a  conventional  attack  which  can  be  stopped  after 
detection,  cyberattacks  can  only  be  stopped  by  establishing  ex  ante  barriers  that  attackers  are 
fearful  of  crossing.  Furthermore,  these  state  practices  demonstrate  a  growing  recognition 
among  states  that  cyberattacks  must  be  stopped,  and  that  the  way  to  do  so  is  through  vigorous 
state  law  enforcement. 

State  responses  to  transnational  terrorist  attacks  further  support  recognition  of  a  duty  to 
prevent  cyberattacks  under  CIL.  After  the  9/1 1  terrorist  attacks,  states  across  the  world 
condemned  terrorism  as  a  threat  to  international  peace  and  security,  and  provided  various 

^RO 

forms  of  support  to  the  United  States  in  its  war  against  A1  Qaeda.  Ensuring  that  terrorism 
will  forever  be  legally  recognized  as  a  threat  to  international  peace  and  security,  the  Security 
Council  passed  Resolution  1373,  which  reaffirmed  that  acts  of  international  terrorism  were 
threats  to  international  peace  and  security,  and  called  on  states  to  work  together  to  prevent 
and  suppress  terrorism.^^'*  The  resolution  further  directed  states  to  “refrain  from  providing 


See  Kamal,  supra  note  22,  at  176.  Australia’s  Cyber-Crime  Act  of  2001  criminalizes  the  unauthorized 
access  or  modification  of  computer  data.  Austria’s  Privacy  Act  of2000  criminalizes  the  unauthorized  access  of 
any  computer  data.  Belgium’s  criminal  code  targets  computer  crime  and  basically  outlaws  all  forms  of 
cyberattack.  Brazil’s  law  number  9,983  of  2000  criminalizes  the  unauthorized  alteration  of  computer  data. 
Canada’s  Criminal  Code  Section  342.1  criminalizes  most  forms  of  cyberattacks.  Denmark’s  Penal  Code 
Section  263  criminalizes  unauthorized  access  to  computer  information  and  programs.  France’s  Penal  Code 
Article  323-1  criminalizes  the  fraudulent  access  of  computer  systems.  Germany’s  Penal  Code  criminalizes  the 
unauthorized  access  or  modification  of  computer  data,  and  damaging  a  computer  system.  India’s  Information 
Technology  Act  of  2000  criminalizes  computer  hacking.  Japan’s  Unauthorized  Computer  Access  Law  of  1999 
criminalizes  most  forms  of  cyberattacks.  The  Netherlands  Penal  Code  Article  138  criminalizes  the 
unauthorized  access  of  a  computer  system.  South  Africa’s  Electronic  Communications  and  Transactions  Act  of 
2002  criminalizes  cybercrime.  Switzerland’s  Penal  Code  Article  143bis  criminalizes  the  authorized  access  of 
computer  data.  The  United  States  and  United  Kingdom  both  have  robust  criminal  laws  against  cyberattacks, 
basically  criminalizing  all  forms  of  them.  See  id.  at  17-22, 40-42,  175-184.  Many  other  states  have 
criminalized  computer  crimes,  such  as  the  unauthorized  access  or  alteration  of  data,  or  computer  sabotage,  but 
those  laws  shall  not  be  covered  in  this  paper.  Garnett  &  Clarke,  supra  note  13,  at  471. 

See  supra  Part  V.A. 

S.C.  Res.  1373,  U.N.  Doc.  S/RES/1373  (Sept.  28, 2001). 


80 


any  form  of  support”  to  terrorists  through  act  or  omission,  to  “deny  safe  haven”  to  those  who 
commit  terrorist  acts,  and  “afford  one  another  the  greatest  measure  of  assistance  in 

70 1 

connection  with  criminal  investigations  . . .  [or]  proceedings”  related  to  terrorism. 

While  the  international  community’s  response  to  terrorism  does  not  directly  define  CIL 
regarding  cyberattacks,  it  is  persuasive  on  several  fronts.  First,  it  shows  that  states  have  a 
duty  to  prevent  threats  to  international  peace  and  security.  Second,  it  demonstrates  that 
passive  acquiescence  to  threats  to  international  peace  and  security  will  not  be  tolerated. 
Finally,  it  demonstrates  that  states  must  work  together  to  prevent  and  suppress  threats  to 
international  peace  and  security.  Because  states  are  growing  more  dependent  on  computer 
systems  connected  to  the  Internet,  and  cyberattacks  are  increasing  in  both  frequency  and 
potency,  there  should  be  little  doubt  that  cyberattacks  are  a  growing  threat  to  international 
peace  and  security.  The  more  cyberattacks  resemble  terrorism,  the  more  easily  they  will  fit 
into  the  paradigm  constructed  to  deal  with  transnational  terrorism.  However,  no  matter  what 
purpose  cyberattacks  are  used  for,  they  represent  a  threat  to  international  peace  and  security, 
and  should  be  dealt  with  similarly  to  other  recognized  transnational  threats. 

Numerous  U.N.  declarations  about  international  crime  also  support  recognition  of  the  duty 
to  prevent  cyberattacks  as  described  in  this  section.  These  declarations  urge  states  to  take 
affirmative  steps  to  prevent  non-state  actors  from  using  their  territory  to  commit  acts  that 
cause  civil  strife  in  another  state. Furthermore,  these  declarations  also  support  the  duty  of 

See  supra  Part  II,  introduction;  supra  Part  III.B. 

See  supra  Part  II,  introduction;  supra  Part  III.B. 

The  1970  Declaration  on  Friendly  Relations  urges  states  to  “refrain  from  . . .  acquiescing  [to]  organized 
activities  within  [their]  territory  directed  towards  the  commission  of  [civil  strife  or  terrorism  in  another  state].” 


81 


states  to  cooperate  with  one  another  to  eliminate  transnational  crime,  which  lends  credence  to 
the  duty  to  cooperate  with  victim-states  during  the  criminal  investigation  and  prosecution  of 
cyberattacks. 

Focusing  specifically  on  cyberattacks,  states  have  made  declarations  themselves,  and  used 
the  U.N.  General  Assembly  to  make  numerous  declarations  about  the  importance  of 
preventing  cyberattacks.  For  instance,  the  U.N.  General  Assembly  has  called  on  states  to 
criminalize  cyberattacks,^^^  and  to  deny  their  territory  from  being  used  as  a  safe  haven  to 
conduct  cyberattacks  through  state  practice.^^’  The  General  Assembly  has  also  called  on 
states  to  cooperate  with  each  other  during  the  investigation  and  prosecution  of  international 


G.A.  Res.  2625,  supra  note  211,  ^  1.  The  2000  Vienna  Declaration  on  Crime  and  Justice  states  that  “We  [must] 
commit  ourselves  to  working  towards  enhancing  our  ability  to  prevent,  investigate  and  prosecute  high- 
technology  and  computer-related  crime.”  2000  Vienna  Declaration  on  Crime  and  Justice:  Meeting  the 
Challenges  of  the  Twenty-First  Century,  G.A.  Res.  55/59,  Annex,  ^  18,  U.N.  Doc.  A/RES/55/5 9/Annex  (Jan.  17, 
2001).  The  2001  Draft  Articles  of  State  Responsibility  require  states  to  affumatively  take  action  to  uphold  their 
international  duties  to  other  states,  including  those  arising  from  CIL,  and  declare  that  when  states  fail  to  act, 
they  may  be  held  indirectly  responsible  for  such  inaction.  Draft  Articles  on  the  Responsibility  of  States  for 
Internationally  Wrongful  Acts,  U.N.  Doc.  A/CN.4/L.602/Rev.  1  (2001). 

The  1970  Declaration  on  Friendly  Relations  notes  that  “States  have  a  duty  to  cooperate  with  one  another  . . . 
in  order  to  maintain  international  peace  and  security.”  G.A.  Res.  2625,  supra  note  277,  ^  1.  The  2004  Report 
of  the  High-Panel  on  Threats,  Challenges  and  Change  recognizes  the  growing  threat  of  organized  transnational 
crime  as  a  threat  to  international  peace  and  security,  stating  that  “today,  more  than  ever,  threats  are  interrelated 
and  a  threat  to  one  is  a  threat  to  all.”  The  Secretary-General,  Report  of  the  High-Panel  on  Threats,  Challenges 
and  Change,  ^  17,  delivered  to  the  General  Assembly,  U.N.  Doc  A/59/565  (Dec.  2,  2004).  It  goes  on  to  further 
state: 

No  State,  no  matter  how  powerful,  can  by  its  own  efforts  alone  make  itself  invulnerable  to 
today’s  threats.  Every  State  requires  the  cooperation  of  other  States  to  make  itself  secure.  It 
is  in  every  State’s  interest,  accordingly,  to  cooperate  with  other  states  to  address  their  most 
pressing  threats,  because  doing  so  will  maximize  the  chances  of  reciprocal  cooperation  to 
address  its  own  threat  priorities. 

Id.,\2A. 

G.A.  Res.  45/121,  f  3,  U.N.  Doc.  A/RES/45/121  (Dec.  14,  1990)  (embracing  the  principles  adopted  by  the 
Eighth  United  Nations  Congress  on  the  Prevention  of  Crime  and  the  Treatment  of  Offenders,  and  inviting  states 
to  follow  them);  G.A.  Res.  55/63, 1 1,  U.N.  Doc.  A/RES/55/63  (Jan.  22,  2001);  see  also  Eighth  United  Nations 
Congress  on  the  Prevention  of  Crime  and  the  Treatment  of  Offenders,  Havana,  Cuba,  Aug.  27-Sept.  7,  1 990, 
report  prepared  by  the  Secretariat,  at  140-43,  U.N.  Doc.  A/CONF.l  44/28/Rev.  1  (1991). 

G.A.  Res.  55/63,  supra  note  396,  ^  1. 


82 


cyberattacks.^^*  Even  China  has  said  it  will  “take  firm  and  effective  action  to  prevent  all 
hacking  attacks  that  threaten  computer  systems.”^^  Furthermore,  states  are  starting  to 
recognize  the  threat  that  cyberattacks  pose  to  international  peace  and  security,  with  some 
states  and  the  General  Assembly  directly  recognizing  cyberattacks  as  a  danger  to 
international  peace  and  security/®®  These  declarations  all  evidence  recognition  that  the  duty 


G.A.  Res.  45/121,  SM/Jra  note  396, 3  (embracing  the  principles  adopted  by  the  Eighth  United  Nations 
Congress  on  the  Prevention  of  Crime  and  the  Treatment  of  Offenders,  and  inviting  states  to  follow  them);  G.A. 
Res.  55/63,  supra  note  396,  f  1 ;  see  also  Eighth  United  Nations  Congress  on  the  Prevention  of  Crime  and  the 
Treatment  of  Offenders,  Havana,  Cuba,  Aug.  27-Sept.  7, 1990,  report  prepared  by  the  Secretariat,  at  140-43, 
U.N.  Doc.  A/CONF.  144/28/Rev.  1  (1991). 

McGregor  &  Williamson,  supra  note  43  (quoting  China’s  Premier  Wen  Jiabao’s  pledge  to  prevent 
international  cyberattacks  in  response  to  allegations  that  China  is  ignoring  international  cyberattacks). 

““  See  The  White  House,  the  National  Strategy  to  Secure  Cyberspace  (2003)  (noting  the  threat  that 
cyberattacks  pose  to  international  peace  and  security);  Convention  on  Cybercrime,  supra  note  22  (recognizing 
cyberattacks  as  a  threat  to  international  peace  and  security  and  calling  on  states  to  work  together  to  end  the 
cyberthreat);  Huw  Jones,  Estonia  Calls  for  EU  Law  to  Combat  Cyberattacks,  REUTERS,  Mar.  12,  2008, 
http://www.reuters.com/  article/reutersEdge/idUSLl  1644046200803 12  (reporting  Estonia’s  call  to  fight 
cyberattacks  as  a  threat  to  international  peace  and  security);  G.A.  Res.  53/70,  U.N.  Doc.  A/RES/53/70  (Jan.  4, 

1 999)  (noting  that  information  technology  can  affect  the  interests  of  the  entire  international  community; 
expressing  concern  that  information  technology  can  be  used  to  disrupt  international  stability;  and  noting  that  it 
is  necessary  for  states  to  stop  information  technology  from  being  used  for  criminal  or  terrorist  purposes);  G.A. 
Res.  54/49,  H  2,  U.N.  Doc.  A/RES/54/49  (Dec.  23,  1999)  (considering  it  necessary  to  prevent  the  use  of 
information  technology  to  be  used  for  criminal  or  terrorist  purposes,  and  recommending  states  develop 
international  principles  to  combat  cybercrime  and  cyberterrorism);  G.A.  Res.  55/28,  U.N.  Doc.  A/RES/55/28 
(Dec.  20,  2000)  (recognizing  that  the  misuse  of  information  technology  can  be  a  threat  to  international  stability, 
and  urging  states  to  cooperate  to  eliminate  the  misuse  of  such  technology);  G.A.  Res.  56/19,  U.N.  Doc. 
A/RES/56/19  (Jan.  7,  2002)  (reaffuming  the  conclusions  of  General  Assembly  Resolutions  53/70,  54/49,  and 
55/28);  G.A.  Res.  56/121,  U.N.  Doc.  A/RES/56/121  (Jan.  23, 2002)  (noting  increased  state  cooperation  to 
combat  criminal  misuse  of  information  technology;  noting  the  necessity  of  preventing  the  criminal  misuse  of 
information  technology;  underlining  the  need  to  continue  to  increase  state  cooperation  against  the  criminal 
misuse  of  information  technology;  and  urging  states  to  continue  to  work  to  eliminate  the  criminal  misuse  of 
information  technology);  G.A.  Res.  57/53,  U.N.  Doc.  A/RES/57/53  (Dec.  30,  2002);  G.A.  Res.  57/239,  |  1-5, 
U.N.  Doc.  A/RES/57/239  (Jan.  3 1,' 2003)  (calling  on  states  to  “create  a  global  culture  of  cybersecurity”);  G.A. 
Res.  58/32,  U.N.  Doc.  A/RES/58/32  (Dec.  18,  2003);  G.A.  Res.  58/199, 1 1-6,  U.N.  Doc.  A/RES/58/199  (Jan. 
30,  2004)  (recognizing  the  threat  that  cyberattacks  pose  to  CNI;  recognizing  that  protecting  CNl  requires 
international  cooperation  and  law  enforcement;  tmd  calling  on  states  to  create  a  global  culture  of  cybersecurity); 
G.A.  Res.  59/61,  U.N.  Doc.  A/RES/59/61  (Dec.  16, 2004);  G.A.  Res.  59/220,  H  4,  U.N.  Doc.  A/RES/59/220 
(Feb.  11, 2005)  (endorsing  the  Declaration  of  Principles  adopted  at  the  2003  World  Summit  on  the  Information 
Society,  available  at  http://www.itu.int/wsis/docs/geneva/ofricial/dop.html,  which  recognizes  the  need  for  states 
to  prevent  information  technology  from  being  used  for  criminal  or  terrorist  purposes);  G.A.  Res.  60/45,  U.N. 
Doc.  A/RES/60/45  (Jan.  6,  2006);  G.A.  Res.  60/252,  f  8,  U.N.  Doc.  A/RES/60/252  (Apr.  27,  2006)  (reiterating 
the  need  for  states  cooperation);  G.A.  Res.  61/54,  U.N.  Doc.  A/RES/61/54  (Dec.  19,  2006);  see  also  G.A.  Res. 
51/210,  ^  3,  U.N.  Doc.  A/RES/5 1/210  (Dec.  16,  1996)  (calling  upon  states  “to  note  the  risk  of  terrorists  using 
electronic  or  wire  communications  systems  and  networks  to  carry  out  criminal  acts  and  the  need  to  find  means. 


83 


of  states  to  prevent  cyberattacks  as  a  matter  of  CIL  also  includes  the  following  lesser  duties: 
passing  stringent  criminal  laws,  vigorously  investigating  cyberattacks,  prosecuting  attackers, 
and  having  the  host-state  and  victim-state  cooperate  during  the  investigation  and  prosecution 
of  cases. 

3.  Support  from  the  General  Principles  of  Law 

The  general  principles  of  law  common  to  civilized  nations  also  support  recognition  of  a 
duty  to  prevent  cyberattacks.  It  is  a  well-established  principle  under  the  domestic  laws  of 
most  states  that  individuals  should  be  responsible  for  acts  or  omissions  that  have  a  causal  link 
to  harms  suffered  by  another  individual.'*®'  While  international  law  is  not  obligated  to  follow 
the  domestic  laws  of  states,*®^  international  law  may  be  “derived  from  the  general  principles 
common  to  the  major  legal  systems  of  the  world.”'*®^  Since  most  states  use  causation  as  a 
principle  for  establishing  individual  responsibility,  it  lends  credence  to  the  idea  that  a  state’s 
responsibility  should  also  be  based  on  causation.  Thus,  if  a  state  failed  to  pass  stringent 
criminal  laws,  did  not  investigate  international  cyberattacks,  or  did  not  prosecute  attackers,  it 


consistent  with  national  law,  to  prevent  such  criminality  and  to  promote  cooperation  where  appropriate”);  S.C. 
Res.  1373,  supra  note  390, 3  (calling  upon  states  to  cooperate  and  share  information  about  the  “use  of 
communication  technology  by  terrorist  groups”). 

Becker,  supra  note  304,  at  285-86.  Causation  is  applied  differently  by  states.  Some  states  use  a  ‘but  for’ 
test,  looking  to  see  whether  the  harm  in  question  “would  have  occurred  were  it  not  for  the  conduct  in  question.” 
Id.  at  291.  Other  states  use  a  ‘proximate  cause’  test,  looking  to  see  whether  harm  was  reasonably  foreseeable  as 
a  result  of  an  individual’s  actions  or  omissions.  Id.  Omissions  are  generally  treated  the  same  as  acts.  So,  for 
instance,  if  a  parent  chose  not  to  feed  his/her  child,  the  parent  would  still  bear  responsibility  for  the  harm  to  the 
child  because  his/her  failure  to  act  caused  harm  when  it  was  his/her  duty  to  prevent  such  harm.  Id.  at  294-97. 

at  287. 

Restatement,  supra  note  283,  §  102. 


84 


should  be  held  responsible  for  international  cyberattacks  against  another  state  because  its 
omission  helped  create  a  safe  place  for  attackers  to  attack  other  states.  Furthermore,  the 
general  duty  to  prevent  attacks  already  accounts  for  causation  to  some  degree, which 
supports  using  causation  analogies  from  domestic  laws  when  interpreting  the  customary  duty 
to  prevent  cyberattacks. 

4.  Support  from  Judicial  Opinions 

Finally,  judicial  opinions  further  support  recognition  of  a  state’s  affirmative  duty  to 
prevent  cyberattacks  from  its  territory  against  other  states.  In  Tellini,  a  special  committee  of 
jurists  held  that  a  state  may  be  held  responsible  for  the  criminal  acts  of  non-state  actors  when 
it  “neglect[s]  to  take  all  reasonable  measures  for  the  prevention  of  the  crime  and  pursuit, 
arrest  and  bringing  to  justice  of  the  criminal.”'*®^  In  S.S.  Lotus,  the  Permanent  Court  of 
International  Justice  (ICJ)  held  that  “a  state  is  bound  to  use  due  diligence  to  prevent  the 
commission  within  its  dominions  of  criminal  acts  against  another  nation  or  its  people. In 
Corfu  Channel,  the  ICJ  held  that  states  have  a  duty  “not  to  allow  knowingly  its  territory  to  be 


For  instance,  in  Corfu  Channel  Case,  the  ICJ  held  that  Albania  was  responsible  for  notifying  British  ships  of 
a  minefield  in  their  waters,  even  though  the  mines  were  laid  by  non-state  actors,  because  it  was  unreasonable  to 
assume  that  Albania  did  not  know  of  their  presence  (even  though  Albania  claimed  not  to  know  of  them),  and 
because  states  have  a  duty  to  prevent  their  territory  from  being  used  to  harm  other  states  when  it  is  within  their 
power  to  do  so.  In  effect,  Albania  could  have  prevented  the  British  ships  from  hitting  the  mines,  but  their 
failure  to  act  caused  the  British  ships  harm.  See  Corfu  Channel  Case  (Merits),  1 949  l.C.J.  4  (Apr.  9).  But  see 
Becker,  supra  note  304,  at  287-89  (noting  that  some  scholars  argue  that  international  law  and  domestic  law  are 
so  dissimilar  that  comparisons  between  the  two  are  useless). 

Tellini  case,  4  League  of  Nations  O.J.  524  (1924). 

See  S.S.  Lotus  (Fr.  v.  Turk.)  1927  P.C.I.J.  (ser.  A)  No.  10,  at  4,  88  (Moore,  J.,  dissenting). 


85 


While  these  are  older  cases,  the 


used  for  acts  contrary  to  the  rights  of  other  states.”'*®^ 
principles  in  the  cases  still  stand  for  and  lend  support  to  the  notion  that  states  have  a  duty  to 
prevent  their  territory  from  being  used  to  commit  criminal  acts  against  another  state,  as  well 
as  the  duty  of  states  to  pursue,  arrest  and  bring  to  justice  criminals  who  have  conducted 
cross-border  attacks  on  other  states. 

5.  Further  Defining  a  State 's  Duty  to  Prevent  Cyberattacks 

A  state’s  duty  to  prevent  cyberattacks  should  not  be  based  on  a  state’s  knowledge  of  a 
particular  cyberattack  before  it  occurs,  but  rather  on  its  actions  to  prevent  cyberattacks  in 
general.  Cyberattacks  are  extremely  difficult  for  host-states  to  detect  prior  to  the  commission 
of  a  specific  attack,'*'’*  and  are  often  committed  by  individuals  or  groups  who  aren’t  even  on  a 
state’s  radar.  However,  just  because  cyberattacks  are  difficult  to  prevent,  does  not  mean  that 
states  cannot  breach  their  duty  to  prevent  them.  Stringent  criminal  laws  and  vigorous  law 
enforcement  will  deter  cyberattacks.'"’^  States  that  fail  to  enact  such  laws  fail  to  live  up  to 
their  duty  to  prevent  cyberattacks  through  passiveness  and  indifference.  Likewise,  even 
when  a  state  has  stringent  criminal  laws  on  the  books,  if  it  looks  the  other  way  when 
cyberattacks  are  conducted  against  rival  states,  it  effectively  breaches  its  duty  to  prevent 
cyberattacks  through  its  unwillingness  to  do  anything  to  stop  the  cyberattacks,  just  as  if  it  had 


Corfu  Channel  Case  (Merits),  1949  I.C.J.  4,  22  (Apr.  9). 

See  Naraine,  supra  note  167  (referencing  Secretary  of  Homeland  Security  Michael  Chertoff  s  speech  on  the 
vulnerability  of  federal  computer  systems). 

See  COLARIK,  supra  note  6,  at  39;  Kamal,  supra  note  22,  at  176. 


86 


approved  them/'®  In  other  words,  a  state’s  passiveness  and  indifference  toward  cyberattacks 
make  it  a  sanctuary  state,  where  attackers  can  safely  launch  attacks.  When  viewed  in  this 
light,  it  becomes  apparent  that  a  state  can  be  held  indirectly  responsible  for  cyberattacks 
under  the  established  principles  of  CIL. 


D.  Becoming  a  Sanctuary  State:  Practices  that  Lead  to  State  Responsibility 


The  question  of  whether  a  state  is  acting  as  a  sanctuary  state  is  extremely  fact  dependent. 
When  considering  this  question,  victim-states  must  look  at  the  host-state’s  criminal  laws,  law 
enforcement  practices,  and  track  record  of  cooperating  with  the  victim-states  of  cyberattacks 
that  previously  originated  from  inside  its  borders.  In  effect,  host-states  will  be  judged  on 
their  efforts  to  catch  and  prosecute  attackers  who  have  committed  cyberattacks,  which  is 
probably  the  only  way  that  states  can  deter  and  prevent  future  attacks.  Since  victim-states 
will  end  up  judging  whether  a  host-state  has  lived  up  to  its  international  duties,  host-states 
must  cooperate  with  victim-states  to  ensure  transparency.  Cooperation  will  necessarily  entail 
a  host-state  showing  its  criminal  investigations  to  a  victim-state,  so  victim-states  can 
correctly  judge  host-state  action.  Furthermore,  when  a  host-state  lacks  the  technical  capacity 
to  track  down  an  attacker,  the  law  should  require  it  to  work  together  with  law  enforcement 
officials  from  the  victim-state  to  jointly  track  down  the  attackers.'"  ‘  These  two  measures  will 


States  that  are  unable  to  fulfill  their  duty  to  prevent  cyberattacks,  due  to  the  lack  of  technical  expertise, 
should  be  viewed  in  compliance  with  its  duty  to  prevent  them  when  it  accepts  technical  assistance  fi-om  the 
victim-state  to  hunt  down  the  attackers  who  attacked  it.  Cooperating  in  law  enforcement  efforts  demonstrates 
their  willingness  to  prevent  cyberattacks.  Whereas,  states  that  lacked  the  technical  expertise  to  hunt  attackers, 
but  who  refused  to  accept  outside  assistance,  would  be  viewed  as  imwilling  to  take  the  necessary  steps  to  bring 
attackers  to  justice. 

This  position  is  supported  by  numerous  United  Nations  General  Assembly  Resolutions,  the  European 
Convention  on  Cybercrime,  and  other  United  Nations  documents,  which  all  generally  urge  states  to  cooperate  in 


87 


prevent  host-states  from  being  perceived  as  uncooperative  and  complicit  in  the  use  of  their 
networks  for  attacks  against  other  states.  States  that  deny  involvement  in  a  cyberattack,  but 
refuse  to  open  their  investigative  records  to  the  victim-state,  end  up  casting  doubt  on  their 
willingness  to  stop  cyberattacks  and  cannot  expect  to  be  treated  as  a  state  living  up  to  its 
international  duties.  In  effect,  host-states  that  refuse  to  cooperate  with  victim-states  are 
unwilling  to  prevent  cyberattacks  and  have  declared  themselves  a  sanctuary  state. 

Once  a  host-state  demonstrates  that  it  is  a  sanctuary  state  through  inaction,  other  states  can 
impute  responsibility  to  it.  At  that  point,  it  becomes  liable  for  the  cyberattack  that  triggered 
an  initial  call  for  investigation,  as  well  as  all  futme  cyberattacks  originating  from  it.  This 
opens  the  door  to  a  victim-state  to  use  active  defenses  against  the  computer  servers  in  that 
state  during  a  cyberattack. 

VII.  The  Choice  to  Use  Active  Defenses:  Moving  Towards  a  Workable  Approach 

While  this  paper  urges  states  to  use  active  defenses  to  protect  their  computer  networks, 
states  that  choose  to  use  them  will  find  themselves  confronted  with  difficult  legal  decisions 
as  a  result  of  the  limits  of  technology.  Technological  limitations  will  place  states  in  a 
position  where  a  timely  decision  to  use  active  defenses  requires  states  to  decide  to  use  them 
with  imperfect  knowledge.  Since  forcible  responses  to  cyberattacks  must  comply  with  both 
principal  areas  of  the  law  of  war — -jus  ad  bellum  and  jus  in  bello*^^  the  decision  to  use  active 


investigating  and  prosecuting  the  criminal  misuse  of  information  technologies.  See  supra  notes  382,  394-98, 
400  and  accompanying  text;  UNITED  NATIONS  MANUAL  ON  THE  PREVENTION  AND  CONTROL  OF  Computer 
Related  Crime  268-73  (1995),  available  at  http://www.uncjin.org/Documents/irpc4344.pdf 

See  supra  notes  170-71  and  accompanying  text. 


88 


defenses  raises  several  other  questions  of  law,  not  yet  covered  in  this  paper,  as  a  result  of 
these  technical  limitations.  From  a  practical  standpoint,  this  will  affect  state  decision-making 
at  the  highest  and  lowest  levels  of  government.  State  policy-makers  will  need  to  account  for 
these  limitations  when  setting  state  policy,  while  state  system  administrators  will  need  to 
account  for  these  limitations  when  responding  to  actual  cyberattacks. 

This  part  will  analyze  these  issues.  First,  it  will  analyze  the  technological  limitations  that 
are  likely  to  affect  state  jus  ad  bellum  analysis.  Next,  it  will  move  on  to  jus  in  bello  issues. 
Jus  in  bello  analysis  will  begin  with  the  decision  to  use  force,  analyzing  why  active  defenses 
are  the  most  appropriate  forceful  response  to  cyberattacks.  Finally,yM5  in  bello  analysis  will 
conclude  with  the  impact  that  technological  limitations  are  likely  to  have  on  state  decisions  to 
use  force.  Once  this  is  complete,  it  will  be  clear  that  active  defenses  are  a  viable  way  for 
states  to  protect  themselves  despite  the  fact  that  technological  limitations  will  complicate 
state  decision-making. 

A.  Technological  Limitations  and  Jus  ad  Bellum  Analysis 

While  cyberattack  analysis  is  greatly  simplified  by  looking  at  whether  a  state  of  origin  has 
violated  its  duty  to  prevent,  rather  than  having  to  attribute  an  attack,  states  are  still  likely  to 
find  cyberattacks  difficult  to  deal  with  in  practice.  Jus  ad  bellum  requires  states  to  carefully 
analyze  a  cyberattack  and  ensure  that:  (1)  the  attack  constitutes  an  armed  attack  or  imminent 
armed  attack;  and  (2)  the  attack  originates  from  a  sanctuary  state.  Both  of  these  conditions 
must  exist  before  a  state  can  lawfully  respond  with  active  defenses  under  jus  ad  bellum. 


89 


Cyberattack  analysis  will  be  conducted  by  system  administrators,  whose  position  puts 
them  at  the  forefront  of  computer  defense.  System  administrators  can  use  various  computer 
programs  to  facilitate  their  analysis.  Automated  detection  and  warning  programs  can  help 
detect  intrusions,  classify  attacks,  and  flag  intrusions  for  administrator  action."^’^  Automated 
or  administrator-operated  trace  programs  can  trace  attacks  back  to  their  point  of  origin.'*''* 
These  programs  can  help  system  administrators  to  classify  cyberattacks  as  armed  attacks  or 
lesser  uses  of  force,  and  evaluate  whether  attacks  originate  from  a  state  previously  declared  a 
sanctuary  state  by  state  decision-makers.  When  attacks  meet  the  appropriate  legal  thresholds, 
system  administrators  may  use  active  defenses  to  protect  their  networks.'*'^ 

Unfortunately,  technological  limitations  on  attack  detection,  attack  classification  and 
attack  traces  are  likely  to  further  complicate  state  decision-making  during  cyberattack 
analysis.  Ideally,  attacks  would  be  easy  to  detect,  classify  and  trace.  However,  this  is  not  the 
case.  This  section  will  analyze  the  technological  limits  of  these  programs  and  explore  their 
likely  impact  on  state  decision-makers  and  system  administrators. 

1.  Limitations  on  Attack  Detection 


See  Naraine,  supra  note  167  (referencing  a  speech  by  former  Secretary  of  Homeland  Security  Michael 
Chertoff,  in  which  he  described  the  Einstein  program,  which  the  federal  government  uses  to  protect  its  computer 
systems). 

See  Wheeler  &  Larsen,  supra  note  158,  at  23-24  (discussing  the  use  of  automated  tracer  programs  to  find  the 
originating  point  of  a  cyberattack).  See  generally  Wheeler  &  Larsen,  supra  note  158  (for  a  technical  discussion 
on  tracing  cyberattacks  back  to  their  point  of  origin). 

See  supra  Part  IV.C-D  (discussing  the  thresholds  for  armed  attacks  and  imminent  armed  attacks);  supra  Part 
VI. A  (discussing  cyberattacks  as  armed  attacks);  supra  Part  VI.B-C  (discussing  state  responsibility  for 
cyberattacks  when  states  violate  their  duty  to  prevent  them);  see  also  Wheeler  &  Larsen,  supra  note  1 58,  at  24 
(noting  that  the  U.S.  Department  of  Defense  has  already  developed  these  capabilities,  but  has  been  restricted 
from  using  them  by  the  U.S.  Department  of  Justice  due  to  the  legal  issues  that  active  defenses  raise). 


90 


While  early  detection  and  warning  programs  can  help  catch  cyberattacks  before  they 
reach  their  culminating  point,  even  the  best  programs  are  unable  to  detect  all  cyberattacks."”^ 
As  a  result,  cyberattacks  are  bound  to  harm  states.  From  a  legal  perspective,  the  failure  to 
catch  an  attack  vmtil  after  its  completion  has  both  an  upside  and  a  downside.  On  the  upside, 
states  would  gain  the  luxury  of  time  to  evaluate  an  attack,  since  the  threat  of  danger  will  have 
already  passed.  On  the  downside,  tracing  an  attack  back  to  its  source  becomes  more  difficult 
the  farther  removed  the  trace  becomes  from  the  time  of  attack.'”^  Furthermore,  even  when  it 
turns  out  that  an  armed  cyberattack  originates  from  a  sanctuary  state,  state  decision-makers 
would  need  to  think  long  and  hard  about  using  active  defenses  as  a  matter  of  law  and  policy. 
The  longer  it  takes  to  detect  an  attack,  the  less  compelling  the  need  for  states  to  use  active 
defenses,  especially  when  the  attack  seems  truly  complete.  On  the  other  hand,  when  an 
attack  that  has  reached  completion  is  seen  as  part  of  a  series  of  ongoing  attacks,  the  need  to 
use  active  defenses  to  deter  future  attacks  is  more  compelling.'”® 

2.  Limitations  on  Attack  Classification 


See  Naraine,  supra  note  167  (quoting  former  Secretary  of  Homeland  Security  Michael  Chertoff). 

See  Wheeler  &  Larsen,  supra  note  158,  at  51-52.  An  ongoing  attack  is  the  easiest  form  of  cyberattack  to 
trace  back  to  its  source,  allowing  states  to  trace  an  electronic  pathway  back  to  the  source.  Id.  at  9-42,  5 1-52. 
Completed  attacks  are  much  more  difficult  to  trace,  since  the  electronic  pathways  no  longer  exist,  data  may  be 
destroyed,  and  piercing  the  shield  that  zombies  or  other  intermediaries  create  for  the  true  attacker  (assuming 
intermediaries  were  used)  becomes  more  difficult  once  an  attack  has  already  been  completed.  Id  at  5 1-52. 

The  more  an  attack  is  seen  as  part  of  a  series  of  attacks  originating  from  the  host-state,  the  more  extensive  a 
victim-state’s  response  can  be.  This  will  be  highly  fact-dependent,  based  on  behavioral  trends  of  the  host-state 
and  intelligence  about  the  host-state’s  intentions.  See  supra  Part  IV.C-D.  Thus,  cyberattacks  from  sanctuary 
states  are  more  likely  to  be  seen  as  part  of  an  ongoing  series  of  attacks,  even  when  the  attacks  are  actually 
committed  by  different  attackers  within  the  state,  because  they  have  already  demonstrated  that  they  allow 
attacks  to  come  from  them  unchecked.  See  supra  Part  VI.B-D. 


91 


Early  detection  and  warning  programs  will  detect  many  cyberattacks  mid-attack. 

However,  detecting  an  attack  before  its  culmination  makes  it  harder  to  classify.  Naturally,  a 
system  administrator  will  immediately  attempt  to  shut  down  a  cyberattack  with  passive 
defenses  as  soon  as  it  is  detected.  However,  that  is  not  the  full  extent  of  his  job.  The  system 
administrator  must  also  assess  the  damage  that  has  been  done,  as  well  as  any  likely  future 
damage,  so  that  an  informed  decision  can  be  made  about  whether  to  use  active  defenses.'**^ 
When  an  ongoing  cyberattack  has  already  caused  severe,  invasive  and  measurable 
damage,  it  can  safely  be  classified  as  an  armed  attack,  even  though  it  is  still  ongoing.'’^®  On 
the  other  hand,  when  an  attack  has  not  caused  severe,  invasive  or  measurable  damage,  a 
system  administrator  will  need  to  look  at  the  immediacy  of  future  harm  to  determine  whether 


System  administrators  must  determine  whether  the  attack  meets  the  threshold  of  an  armed  attack.  To  do  so, 
they  would  need  to  weigh:  (1)  the  potential  harm  that  could  occur  from  the  attack  to  ensure  that  it  was  an  armed 
attack;  (2)  the  likelihood  of  fending  off  the  attack  with  purely  defensive  measures,  to  ensure  that  active  defenses 
were  necessary;  tind  (3)  the  imminency  of  such  harm,  since  active  defenses  may  not  be  employed  until  delaying 
their  use  starts  to  endanger  the  state.  These  decisions  will,  no  doubt,  be  based  on  rules  promulgated  by  the 
victim-state  before  the  attack  ever  occurs.  These  rules  would  simplify  the  legal  framework  into  a  set  of  rules 
more  easily  understood  by  the  layman,  similar  to  the  rules  of  engagement  that  military  personnel  follow. 

See  supra  Part  VI.  A.  A  good  example  of  tin  ongoing  attack  that  had  already  risen  to  the  level  of  an  armed 
attack  when  it  was  detected  was  the  2007  cyberattack  against  Estonia.  In  those  attacks,  the  cyberattack  no 
doubt  rose  to  the  level  of  an  armed  attack  early  in  the  process,  disrupting  the  ability  of  the  Estonian  government 
to  govern;  yet  the  attacks  continued  on  for  several  weeks  afterwards,  further  damaging  Estonian  systems  far 
beyond  the  damage  at  the  point  of  detection.  See  supra  Part  I,  introduction. 

Furthermore,  when  evaluating  a  cyberattack  as  an  armed  attack,  it  is  also  important  to  determine  whether  a 
cyberattack  is  part  of  a  series  of  coordinated  cyberattacks  against  a  state.  When  this  happens,  it  is  possible  for 
the  collective  effect  of  the  attacks  to  rise  to  the  level  of  an  armed  attack,  even  though  none  of  the  individual 
attacks  did  so.  In  this  type  of  situation,  cyberattacks  against  non-critical  infrastructure  can  be  considered  an 
armed  attack  based  on  their  collective  effect.  See  supra  Part  VI.A.  This  would  require  analysis  at  a  higher 
national  level  than  the  institution  being  individually  attacked,  but  might  be  possible  with  government 
coordination.  The  Cyber  Warning  and  Information  Network  and  National  Cyber  Alert  System  is  an  example  of 
such  an  effort  in  the  United  States.  See  WILSON,  supra  note  1 5,  at  CRS-3 1  to  CRS-32.  The  2007  cyberattacks 
against  Estonia  were  an  example  of  a  coordinated  set  of  cyberattacks  that  collectively  rose  to  the  level  of  an 
armed  attack.  While  some  of  the  attacks  on  Estonia  were  against  critical  infrastructure,  and  might  have  been 
armed  attacks  anyway,  the  collective  effect  was  much  greater  than  the  damage  done  in  any  of  the  individual 
attacks,  and  certainly  pushed  those  cyberattacks  to  the  level  of  armed  force.  See  supra  Part  II,  introduction. 


92 


the  attack  should  be  classified  as  an  imminent  armed  attack."*^*  Given  the  lightning  speeds 
with  which  computer  codes  can  execute,  this  will  be  very  difficult  to  do,  as  delaying  the  use 
of  active  defenses  increases  the  likelihood  of  harm  to  a  state."*^^ 

The  limitations  on  attack  classification  should  give  system  administrators  pause  before 
deciding  to  use  active  defenses  in  anticipatory  self-defense.  While  it  is  lawful  to  make  a 
decision  based  on  their  best  analysis  of  the  facts,'*^^  such  determinations  will  be  highly 
speculative  due  to  the  shadowy  nature  of  cyberattacks.  Most  likely,  when  a  computer 
intrusion  is  detected,  the  purpose  of  the  attack  will  be  extremely  difficult  to  discern  without 
taking  time  to  dissect  a  program’s  code  or  review  the  audit  logs  of  an  attacker’s  activity.'*^'* 
Furthermore,  the  speed  with  which  cyberattacks  execute  will  force  system  administrators  to 
make  their  best  guess,  even  though  they  will  probably  be  missing  critical  information.  Given 
the  speculative  nature  of  any  such  calculus,'*^^  as  a  matter  of  policy,  state  decision-makers 


See  supra  Part  VI.A. 

System  administrators  can  attempt  to  quarantine  and  analyze  malicious  code  to  buy  time.  However,  this  is 
not  always  possible.  Furthermore,  unauthorized  remote  penetrations  cannot  be  quarantined  or  slowed  down. 

For  these  cyberattacks,  system  administrators  will  need  to  sever  the  connection  and  end  the  attack,  which  may 
not  always  be  possible.  However,  all  of  this  takes  time,  which  is  why  it  is  easier  to  automate  classification  and 
trace  programs  to  uncover  the  basic  facts  about  a  cyberattack  and  its  point  of  origin,  flag  the  attack  for  a  system 
administrator’s  attention,  and  have  active  defenses  at  the  ready.  See  supra  Part  III.C. 

See  supra  note  366  and  accompanying  text. 

For  instance,  the  purpose  of  malware  may  range  from  collecting  information,  to  testing  a  state’s  defenses,  to 
launching  a  full  scale  attack.  Furthermore,  since  remote  penetrations  are  conducted  by  individuals,  the  purpose 
of  the  attack  may  be  impossible  to  know  without  questioning  the  attacker. 

Using  active  defenses  in  anticipatory  self-defense  will  undoubtedly  come  under  intense  international  scrutiny 
the  first  few  times  it  happens,  and  anger  the  host-state  whose  borders  were  electronically  crossed.  While  states 
may  legally  act  in  anticipatory  self-defense  when  it  appears  that  an  armed  attack  is  imminent,  it  must  be 
prepared  to  be  questioned  by  other  states  who  do  not  agree  with  its  analysis.  Ultimately  the  state’s  actions  will 
be  judged  using  the  Rendulic  Rule  from  a  legal  perspective,  and  in  the  court  of  public  opinion  from  a  diplomatic 
perspective.  Thus,  anticipatory  self-defense  should  only  be  used  when  a  state  feels  that  an  after-the-fact 
analysis  will  truly  support  its  actions.  See  supra  note  366  and  accompanying  text. 


93 


may  want  to  tell  their  system  administrators  to  respond  to  cyberattacks  in  anticipatory  self- 
defense  only  as  an  act  of  last  resort  to  prevent  an  escalation  of  hostilities  between  states. 


3.  Limitations  on  Attack  Traces 


Cyberattacks  are  frequently  conducted  through  intermediate  computer  systems  to  disguise 
the  true  identity  of  an  attacker.'*^^  While  trace  programs  are  capable  of  penetrating 
intemiediate  disguises  back  to  their  electronic  source,  their  success  rate  is  not  perfect.'*^^ 
Thus,  trace  programs  run  the  risk  of  incorrectly  identifying  the  true  source  of  an  attack.  This 
creates  an  apparent  problem  because  an  attack  could  be  incorrectly  perceived  as  coming  from 
a  state  that  is  not  the  actual  state  of  origin.  However,  this  is  not  as  big  a  problem  as  it 
appears.  State  responsibility  should  still  be  judged  on  the  facts  at  hand,  even  if  it  results  in  a 
misattribution.  The  reason  that  misattribution  is  not  a  problem  is  twofold.  First,  as  long  as  a 
state  assesses  an  attack  to  the  best  of  its  technical  capability  and  acts  in  good  faith  on  the 
information  on  hand,  it  has  met  its  international  obligations.  Second,  states  that  refuse  to 
comply  with  their  international  duty  to  prevent  their  territory  from  being  used  to  commit 
cyberattacks  have  chosen  to  risk  being  held  indirectly  responsible  by  accident.  After  all  a 
state  can  avoid  being  the  target  of  active  defenses,  even  when  attacks  originate  from  it,  by 


See  Wilson,  supra  note  15,  at  CRS-5  to  CRS-7  (discussing  the  use  of  zombie  computer  systems  to  disguise 
the  identity  of  an  attacker);  Ruth  Wedgwood,  Proportionality,  Cyberwar,  and  the  Law  of  War,  in  COMPUTER 
Network  Attack  and  International  Law  219, 227-30  (Michael  N.  Schmitt  &  Brian  T.  O’Donnell  eds.. 
Naval  War  College  2002)  (discussing  the  use  of  looping  and  weaving  to  disguise  the  identity  of  an  attacker). 
See  generally  Wheeler  &  Larsen,  supra  note  158  (discussing  the  technical  methods  of  using  intermediary 
computer  systems  to  disguise  the  source  of  a  cyberattack). 

See  generally  Wheeler  &  Larsen,  supra  note  158  (discussing  the  technical  capabilities  of  trace  programs). 

See  supra  note  366  and  accompanying  text. 


94 


taking  affirmative  steps  to  prevent  cyberattacks,  such  as  enacting  stringent  criminal  laws, 
enforcing  those  laws,  and  cooperating  with  victim-states  to  bring  attackers  to  justice. 

B.  Jus  in  Bello  Issues  Related  to  the  Use  of  Active  Defenses 

Decisions  to  use  force  are  governed  by  jus  in  bello.  Jus  in  bello  stands  for  the  proposition 
that  states  do  not  have  a  right  to  use  unlimited  force  against  other  states  during  war.'*^^  At  its 
cotqJus  in  bello  uses  four  basic  principles  to  regulate  the  conduct  of  states  during  warfare.'*^® 
These  are  the  principles  of  distinction,  necessity,  humanity  and  proportionality.'’^* 


This  proposition  is  derived  from  Hague  Convention  IV,  Annex,  Article  22,  which  states,  “[t]he  right  of 
belligerents  to  adopt  means  of  injuring  the  enemy  is  not  unlimited.”  Hague  Convention  IV  Respecting  the  Laws 
and  Customs  of  War  on  Land  and  its  Annex  (Regulations),  Oct.  18,  1907,  36  Stat.  2277,  1  Bevans  63 1 
[hereinafter  Hague  IV]. 

COMMANDER’S  HANDBOOK,  supra  note  59,  §  5.3,  12.1 .2. 

COMMANDER’S  Handbook,  supra  note  59,  §  5.3,  12.1.2. 

Distinction  “is  the  requirement  to  distinguish  combatants  and  military  objectives  from  noncombatants  .  . .  and 
civilian  objects,  and  to  attack  only  the  former.”  WINGFIELD,  supra  note  48,  at  1 3 1 .  This  principle  is  derived 
from  Additional  Protocol  1,  Article  48,  which  states,  “[pjarties  to  the  conflict  shall  at  all  times  distinguish 
between  the  civilian  population  and  combatants  and  between  civilian  objects  and  military  objectives  and 
accordingly  shall  direct  their  operations  only  against  military  objectives.”  Protocol  Additional  to  the  Geneva 
Conventions  of  12  August  1949,  and  Relating  to  the  Protection  of  Victims  of  International  Armed  Conflicts, 
June  8,  1977,  1 125  U.N.T.S.  3  [hereinafter  Additional  Protocol  I].  However,  distinction  doesn’t  protect 
civilians  who  directly  participate  in  hostilities.  Id.,  art.  51(3). 

Necessity  limits  the  amount  of  force  a  state  can  use  against  legitimate  targets  “to  that  required  for  mission 
accomplishment  and  force  protection,”  and  forbids  using  force  purely  “for  the  sake  of  destruction.” 

Wingfield,  supra  note  48,  at  13 1 . 

Humanity  prohibits  the  use  of  weapons  designed  to  cause  unnecessary  suffering.  WINGFIELD,  supra  note  48,  at 
131.  This  principle  is  derived  from  Hague  Convention  IV,  Annex,  Article  23,  which  states,  “it  is  especially 
forbidden  ...  to  cause  unnecessary  suffering.”  Hague  IV,  supra  note  429. 

Proportionality  protects  civilians  and  their  property  the  same  way  necessity  and  humanity  protect  lawful  targets 
from  excessive  uses  of  force.  WINGFIELD,  supra  note  48,  at  154.  Understanding  that  attacks  on  legitimate 
targets  will  often  cause  incidental  damage  beyond  the  lawful  target  itself,- proportionality  limits  the  use  of  force 
to  situations  in  which  the  expected  military  advantage  outweighs  the  expected  collateral  damage  to  civilians  and 


95 


1. 


Active  Defenses,  the  Most  Appropriate  Forceful  Response 


While  the  primary  purpose  of  this  paper  is  to  urge  states  to  use  of  active  defenses  in 
response  to  cyberattacks,  once  one  accepts  that  states  are  legally  authorized  to  respond  to 
cyberattacks  with  force,  the  necessary  consequence  is  that  states  may  use  force  to  the  extent 
authorized  under  jus  in  bello.'^^^  In  other  words,  unless  jus  in  bello  stops  states  from  using 
conventional  weapons,  forcible  responses  are  not  limited  to  active  defenses.  Therefore,  it  is 
worth  explaining  why  state  decision-makers  should  choose  to  use  active  defenses,  as  a  matter 
of  policy,  as  the  most  appropriate  response  to  cyberattacks. 

Active  defenses  are  the  most  appropriate  type  of  force  to  use  against  cyberattacks  in  light 
of  the  principles  of  jus  in  bello.  There  are  several  reasons  for  this.  First,  in  terms  of  military 
necessity,  active  defenses  probably  represent  all  the  force  needed  to  accomplish  the  mission 
of  defending  against  a  cyberattack.  Active  defenses  can  trace  an  attack  back  to  its  source  and 
immediately  disrupt  it,  whereas  kinetic  weapons  will  be  slower  and  less  effective  than  the 
lightning  speed  of  a  hack-back.'*^^  Therefore,  employing  kinetic  weapons  over  active 
defenses  will  not  only  be  less  effective,  but  will  also  violate  the  principle  of  necessity  by 
employing  force  purely  for  destruction’s  sake.  Second,  in  terms  of  proportionality,  active 
defenses  are  less  likely  to  cause  disproportionate  collateral  damage  than  kinetic  weapons. 

The  traceback  capabilities  of  active  defenses  allow  them  to  target  only  the  source  of  a 

their  property.  WINGFIELD,  supra  note  48,  at  154-55.  This  principle  is  derived  from  Additional  Protocol  I, 
Article  51  (5)(b),  which  states  that  it  is  prohibited  to  use  force  that  “is  expected  to  cause  incidental  loss  of 
civilian  life,  injury  to  civilians,  damage  to  civilian  objects,  or  a  combination  thereof,  which  would  be  excessive 
in  relation  to  the  concrete  and  direct  military  advantage  anticipated.”  Additional  Protocol  I,  supra  note  431. 

See  supra  note  171  and  accompanying  text. 

See  supra  Part  lll.C  (discussing  defenses  to  cyberattacks). 


96 


cyberattack.'*^'*  While  collateral  damage  may  still  result  because  the  originating  computer 
system  may  serve  multiple  functions,  unless  an  attacker  uses  CNl  to  conduct  the  attack, 
damage  should  be  fairly  limited  from  the  use  of  active  defenses.  Furthermore,  since  the 
majority  of  cyberattacks  are  conducted  by  non-state  actors,'’^^  it  seems  unlikely  that  many 
attacks  will  come  from  CNI.'*^®  Thus,  active  defenses  provide  states  a  way  to  surgically 
strike  at  their  attacker  with  minimal  risks  of  severe  collateral  damage  to  the  host-state,'*^’ 
thereby  meeting  the  proportional  requirement  “to  select  [the]  method  or  means  of  warfare 
likely  to  cause  the  least  collateral  damage  and  incidental  injury,  all  other  things  being 
equal.”'*^*  Finally,  while  not  stemming  from  jus  in  bello,  choosing  active  defenses  over 
kinetic  weapons  should  reduce  the  chance  of  escalating  these  situations  into  full  scale  armed 
conflicts  between  states. 


See  supra  Part  III.C  (discussing  the  capabilities  of  active  defenses);  Wheeler  &  Larsen,  supra  note  158,  at 
23-24  (discussing  the  use  of  automated  tracer  programs  to  find  the  originating  point  of  a  cyberattack).  But  see 
infra  Part  VII.  A.3  (discussing  the  limitations  of  trace  programs). 

See  Jensen,  supra  note  5,  at  232. 

However,  when  cyberattacks  originate  fi-om  critical  systems  the  host-state  bears  responsibility  for  allowing 
them  to  be  used  in  such  a  manner  because  states  have  an  obligation  to  police  their  own  citizens.  See  supra  Part 
V.B.  By  failing  to  do  so,  states  declare  themselves  sanctuary  states  and  give  other  states  the  legal  grounds  to 
respond  in  self-defense  to  cyberattacks  fi-om  them.  See  supra  Part  V.C-D.  The  principle  of  discrimination 
requires  states  to  segregate  their  civilian  objects  fiom  military  objects.  See  Jensen,  supra  note  366,  at  1174 
(referencing  Additional  Protocol  I,  Article  58).  Thus,  the  host-state  is  effectively  responsible  for  the  collateral 
damage  that  occurs  because  it  has  allowed  attackers  within  its  territory  to  mix  their  means  of  attack  with  civilian 
objects,  making  them  dual  use  in  nature  and  legitimate  subjects  of  attack.  See  Michael  Schmitt,  Wired  Warfare: 
Computer  Network  Attack  and  the  Jus  in  Bello,  in  COMPUTER  NETWORK  ATTACK  AND  INTERNATIONAL  LAW 
1 87,  198-99  (Michael  N.  Schmitt  &  Brian  T.  O’Donnell  eds..  Naval  War  College  2002). 

See  Jensen,  supra  note  366,  at  1 174  (noting  that  active  defenses  can  be  designed  to  simply  shut  a  computer 
off  to  stop  an  attack,  rather  than  permanently  disabling  it);  Schmitt,  supra  note  436,  at  204-05  (arguing  that 
active  defenses  may  simply  shut  down  computer  systems  for  a  brief  time,  rather  than  having  to  use  kinetic 
weapons,  which  inherently  cause  physical  destruction  to  achieve  their  objectives).  But  see  Wedgwood,  supra 
note  426,  at  227-30  (arguing  that  it  is  harder  to  confine  the  effects  of  active  defenses  than  it  is  with  kinetic 
weapons  because  the  links  fiom  a  computer  to  the  civilian  infrastructure  it  controls  are  less  apparent). 

Schmitt,  supra  note  436,  at  204. 


97 


2.  Technological  Limitations  and  Jus  in  Bello  Analysis 


Unfortunately,  despite  the  increased  security  that  active  defenses  provide,  using  them  is 
not  without  legal  risk.  Technological  limitations  may  prevent  states  from  conducting  the 
surgical  strikes  envisioned  with  active  defenses.'*^’  The  more  an  attacker  routes  his  attack 
through  intermediary  systems,  the  more  difficult  it  is  to  trace  the  attack.'*'*'^  Furthermore, 
complex  traces  take  time,  which  is  not  always  available  during  a  moment  of  crisis.'’'*' 

Adding  to  these  difficulties,  trace  programs  often  have  problems  pinpointing  the  source  of  an 
attack  once  an  attacker  terminates  his  electronic  connection.'*'’^  Sometimes  these  difficulties 
will  simply  result  in  a  failure  to  identify  the  source  of  an  attack,  other  times  it  may  result  in 
the  incorrect  identification  of  an  intermediary  system  as  the  source  of  an  attack.'*'*^  Even 
when  the  source  of  an  attack  is  correctly  identified,  the  victim-state’s  system  administrator 
must  map  out  the  attacking  computer  system  to  distinguish  its  functions  and  the  likely 
consequences  that  will  result  from  shutting  it  down.'*'*'*  The  problem  is  that  system  mapping 
takes  time,  often  more  time  than  a  state  has  to  make  an  informed  decision.'*'*^  Sometimes  a 

See  Wedgwood,  supra  note  426,  at  227-30  (arguing  that  there  isn’t  enough  time  to  properly  map  the 
functions  of  an  attacking  computer  system  when  using  active  defenses,  which  may  result  in  counter-strikes 
having  broader  than  intended  consequences). 

See  generally  Wheeler  &  Larsen,  supra  note  158  (discussing  ways  to  trace  cyberattacks  to  their  source). 

See  Wedgwood,  supra  note  426,  at  227-30. 

See  generally  Wheeler  &  Larsen,  supra  note  158  (discussing  ways  to  trace  cyberattacks  to  their  source). 

See  Wedgwood,  supra  note  426,  at  227-30  (noting  that  looping  and  weaving  techniques  may  cause  faulty 
traces);  Wilson,  supra  note  15,  at  5-7  (noting  that  zombies  are  often  used  to  conduct  cyberattacks).  See 
generally  Wheeler  &  Larsen,  supra  note  158  (discussing  ways  to  trace  cyberattacks  to  their  source). 

See  Barkham,  supra  note  29,  at  82-83;  Jensen,  supra  note  460,  at  1 1 84-85. 

See  Wedgwood,  supra  note  426,  at  227-30. 


98 


system  will  be  able  to  be  mapped  quickly,  allowing  states  to  make  informed  decisions  about 
likely  collateral  damage.  Other  times  a  state  will  be  forced  to  try  to  predict  the  likely 
consequences  of  using  active  defenses  without  having  fully  mapped  a  system.  As  a  result, 
any  state  that  employs  active  defenses  runs  the  risk  of  accidentally  targeting  innocent 
systems  and  causing  unintended  excessive  collateral  damage.'^'*^ 

To  ensure  the  lawful  use  of  active  defenses  in  accordance  with  the  principles  of 
distinction  and  proportionality,  states  must  do  “everything  feasible”  to  mitigate  these  risks.'^'^^ 
In  the  realm  of  active  defenses,  this  means  doing  everything  feasible  to  identify:  (1)  the 
computer  system  that  launched  the  initial  attack;  and  (2)  the  probable  collateral  damage  that 
will  result  from  using  active  defenses  against  that  system.'^'^*  Once  a  state  does  everything 


See  Barkham,  supra  note  29,  at  82-83;  Jensen,  supra  note  366,  at  1 1 78-79.  Targeting  innocent  systems 
violates  the  principle  of  distinction,  unless  it  meets  the  safe  harbor  of  the  Rendulic  Rule.  Jensen,  supra  note 
366,  at  1 1 78-86.  Causing  excessive  collateral  damage  in  relation  to  the  military  advantage  gained  violates  the 
principle  of  proportionality,  unless  it  meets  the  safe  harbor  of  the  Rendulic  Rule.  Id. 

**''  Jensen,  supra  note  366,  at  1183-86.  This  principle  is  derived  from  Additional  Protocol  1,  Article  57(2), 
which  states: 

(a)  those  who  plan  or  decide  upon  an  attack  shall: 

(i)  do  everything  feasible  to  verify  that  the  objectives  to  be  attacked  are  neither  civilians  nor 
civilian  objects  . . . ; 

(ii)  take  all  feasible  precautions  in  the  choice  of  means  and  methods  of  attack  with  a  view  to 
avoiding,  and  in  any  event  minimizing,  incidental  loss  of  civilian  life,  injury  to  civilians 
and  damage  to  civilian  objects; 

(iii)  refrain  from  deciding  to  launch  any  attack  which  may  be  expected  to  cause  incidental  loss 
of  civilian  life,  injury  to  civilians,  damage  to  civilian  objects,  or  a  combination  thereof, 
which  would  be  excessive  in  relation  to  the  concrete  and  direct  military  advantage 
anticipated. 

Additional  Protocol  I,  supra  note  43 1 . 

See  Jensen,  supra  note  366,  at  1183-86.  It  is  important  to  note  that  probable  consequences  are  judged  as  the 
consequences  that  ‘“may  be  expected,’  not  what  is  likely  or  possible,  or  even  what  is  foreseeable.”  Id.  at  1 179. 
See  generally  Brown,  supra  note  5 1 ,  at  1 98-202  (discussing  the  requirements  of  distinction,  necessity,  humanity 
and  proportionality  regarding  cyberattacks). 


99 


feasible  to  ensure  it  has  the  right  information  and  acts  in  good  faith  in  accordance  with  jus  in 
bello,  it  is  legally  protected  from  erroneous  calculations,  even  when  it  targets  civilian 
systems  or  causes  excessive  collateral  damage  in  relation  to  its  military  objective.'*'*^  “The 
important  point  is  that  a  [state]  is  required  only  to  do  what  is  feasible,  given  the  prevailing 
circumstances,  including  the  time  [it]  has  to  make  a  decision  and  the  amount  of  information  it 
has  during  that  time.”‘*^°  Thus,  states  may  still  act  with  imperfect  information,  based  on  the 
way  facts  appear  at  the  time,  when  the  potential  danger  forces  them  to  act.  The  real  test 
will  be  whether  danger  to  the  victim-state’s  systems  justified  the  use  of  active  defenses  in 
light  of  the  likely  collateral  damage  to  the  host-state."^^ 

While  beyond  the  scope  of  this  paper,  there  are  several  issues  worthy  of  consideration 
before  a  state  decides  to  implement  active  defenses.  First,  due  to  the  compressed  timelines  of 
cyberattacks,  a  state  may  need  to  automate  its  active  defenses  so  that  it  can  respond  to 
cyberattacks  in  a  timely  manner.  However,  using  automated  defenses  will  increase  the 
likelihood  of  violating  the  principles  of  distinction  and  proportionality.  As  a  result,  defenses 
should  probably  only  be  automated  for  detection  purposes,  requiring  human  analysis  and 
approval  before  actually  counter-striking.  Second,  just  because  it  is  legal  to  use  active 
defenses  under  the  circumstances  described  in  this  paper,  does  not  mean  it  is  sound  policy. 
States  must  decide  whether  the  diplomatic  fallout  is  worth  the  risk.  Unfortunately, 
technological  limitations  can  cause  state  calculations  to  be  erroneous  at  times,  and  cause 

See  Jensen,  supra  note  366,  at  1184-86  (discussing  the  legal  protection  granted  to  states  and  decision-makers 
under  the  Rendulic  Rule). 

at  1186. 

See  id  at  1183. 

See  Brown,  supra  note  5 1 ,  at  20 1  -02. 


100 


civilian  systems  to  be  targeted  or  excessively  damaged.  States  must  decide  that  the  second 
guessing  which  other  states  will  engage  in  is  worth  the  benefit  gained  from  protecting  their 
computer  systems.  Third,  there  is  the  chance  that  the  servers  from  which  the  initial  attacks 
originate  are  intimately  tied  to  important  systems  in  the  host-state,  which  if  turned  off,  could 
have  devastating  effects  and  cause  unnecessary  suffering.  This  possibility  must  be  factored 
into  the  state’s  evaluation  of  military  necessity  versus  probable  collateral  damage,  especially 
if  a  state  responds  with  active  defenses  without  fully  mapping  an  attacking  system.  Fourth, 
states  should  carefully  design  their  active  defenses.  Poorly  coded  active  defense  programs 
run  the  risk  of  self-propagating  in  cyberspace,  beyond  their  initial  purpose,  and  can  run  the 
risk  of  evolving  from  a  defensive  program  into  a  computer  virus  or  worm,  whose  damage 
goes  far  beyond  its  intended  design.  Since  active  defenses  represent  a  new  frontier  in 
cyberwarfare,  their  initial  use  will  be  controversial,  no  matter  the  situation.  States  should 
expect  public  scrutiny  and  diplomatic  protests  until  such  time  as  active  defenses  are 
recognized  as  a  lawful  method  of  self-defense  under  international  law. 

Vlll.  Conclusion 

Cyberattacks  are  one  of  the  greatest  threats  to  international  peace  and  security  in  the 
twenty-first  century.  Securing  cyberspace  is  an  absolute  imperative.  In  an  ideal  world,  states 
would  work  together  to  eliminate  the  cyberthreat.  Unfortunately,  our  world  is  no  utopia;  nor 
is  it  likely  to  become  one.  Sanctuary  states  refuse  to  cooperate  with  other  states  to  eliminate 
cyberattacks,  which  casts  doubt  on  reaching  a  global  international  agreement  to  secure 
cyberspace  at  any  time  in  the  near  future.  Perhaps  one  day  global  cooperation  to  eliminate 


101 


cyberattacks  will  be  a  reality.  However,  unless  something  changes  to  pressure  sanctuary 
states  into  changing  their  behavior,  there  is  no  impetus  for  them  to  do  so.  As  a  result,  states 
must  use  their  imagination  to  get  past  the  current  legal  roadblocks  that  prevent  them  from 
adequately  addressing  the  current  cyberthreat,  and  coerce  sanctuary  states  into  fulfilling  their 
international  duty  to  prevent  cyberattacks. 

The  way  to  achieve  this  reality  is  to  hold  sanctuary  states  responsible  for  violating  their 
duty  to  prevent  cyberattacks  and  use  active  defenses  against  cyberattacks  originating  from 
within  their  borders.  Not  only  will  this  allow  victim-states  to  protect  themselves  from 
cyberattacks,  but  it  should  also  push  sanctuary  states  into  taking  their  international  duty 
seriously.  After  all,  no  state  wants  another  state  using  force  within  its  borders,  even 
electronically.  Thus,  the  possibility  of  a  forceful  response  to  cyberattacks  within  their 
borders  is  the  hammer  that  can  drive  some  sense  into  sanctuary  states. 

Since  states  do  not  currently  use  active  defenses,  any  decision  to  use  them  will  be  a 
controversial  and  scary  change  to  state  practice.  Like  any  proposal  that  changes  the  way 
states  do  business,  this  proposal  is  bound  to  be  met  with  criticism  on  a  number  of  fronts.'*^^ 


The  largest  critiques  are  likely  to  come  from  those  who  believe  that:  (1)  cyberattacks  are  not  acts  of  war  and 
should  be  treated  as  a  criminal  matter;  or  (2)  victim-states  should  have  to  prove  that  a  state  initiated  the 
cyberattack  or  exercised  direct  control  over  the  attacker  before  it  is  allowed  to  use  active  defenses.  However, 
some  critics  are  even  likely  to  critique  this  paper’s  approach  as  not  going  far  enough  to  protect  state  CNI  from 
cyberattacks  because  it  prevents  states  from  using  active  defenses  when  attacks  are  not  from  sanctuary  states. 

Critics  who  argue  that  cyberattacks  cannot  rise  to  the  level  of  armed  attacks  miss  the  way  the  law  has  responded 
to  unconventional  attacks  in  the  past.  Furthermore,  these  critics  also  miss  an  important  facet  of  international 
law — reprisals,  which  can  be  used  as  an  alternate  basis  to  authorize  active  defenses  against  cyberattacks.  See 
supra  notes  350,  368  and  accompanying  text. 

Critics  who  argue  that  this  paper  goes  too  far  by  advocating  for  the  use  of  active  defenses  without  having  to 
prove  a  state’s  involvement  in  the  attacks  miss  the  way  that  the  law  of  state  responsibility  has  evolved  over  the 
past  thirty-years.  Their  arguments  rest  on  the  prevailing  view  of  state  responsibility  for  cyberattacks,  which  is 
rooted  in  outdated  understandings  of  the  law.  See  supra  Part  II.  A  (discussing  the  response  crisis);  supra  Part 
V.C  (analyzing  the  law  of  state  responsibility);  VLB  (analyzing  state  responsibility  for  cyberattacks). 


102 


However,  there  is  sound  legal  authority  to  use  active  defenses  against  states  that  violate  their 
duty  to  prevent  cyberattacks.  States  that  violate  this  duty,  and  refuse  to  ehange  their 
practices,  should  be  held  responsible  for  all  further  attacks  originating  from  within  their 
borders  in  accordance  with  the  law  of  war.'*^^  At  a  time  when  cyberattacks  threaten  global 
seeurity  and  states  are  scrambling  to  find  ways  to  improve  their  cyberdefenses,'*^^  there  is  no 
reason  to  shield  sanctuary  states  from  the  lawful  use  of  active  defenses  by  victim-states,  and 
every  reeison  to  enhance  state  defenses  to  cyberattacks  by  using  them. 


Critics  who  argue  that  the  approach  advocated  by  this  paper  does  not  go  far  enough  to  protect  state  CNI,  and 
advocate  using  strict  liability  as  the  legal  standard  to  protect  CNI,  miss  a  crucial  part  of  the  legal  analysis — 
namely,  just  because  CNI  is  under  armed  attack  does  not  give  a  victim-state  legal  authority  to  violate  the 
territorial  integrity  of  the  host-state.  See  supra  notes  346,  352,  377  and  accompanying  text. 

Today,  state  responsibility  for  the  actions  of  non-state  actors  results  from  a  state’s  failure  to  live  up  to  their 
international  duties  to  other  states  with  respect  to  those  non-state  actors.  See  supra  Part  V.C.  This  includes  the 
duty  to  prevent  cyberattacks.  See  supra  Part  VI.B-D. 

During  former  President  George  W.  Bush’s  administration,  the  United  States  initiated  a  $30  billion 
cyberdefense  plan  to  protect  government  computer  networks  from  attack.  Since  President  Obama  has  taken 
office,  he  has  identified  cybersecurity  as  one  of  the  most  important  national  security  concerns  of  the  United 
States,  and  has  ordered  a  review  of  U.S.  cyberdefenses  to  find  ways  to  improve  cybersecurity.  The  review  of 
U.S.  cyberdefenses  is  still  ongoing  at  the  time  of  this  paper’s  submission.  However,  in  one  of  the  reports 
already  prepared  for  the  President,  one  of  the  recommendations  is  to  reexamine  the  law  regarding  military 
responses  to  cyberattacks.  See  Keith  Epstein,  U.S.  is  Losing  Global  Cyberwar,  Commission  Says, 
BusinessWeek.COM,  Dec.  7,  2008,  http;//www.businessweek.com/bwdaily/dnflash/content/dec2008/ 
db2008 127_8 1 7606.htm;  Peter  Eisler,  Raids  on  Federal  Computer  Data  Soar;  ‘Major  Intrusions  ’  on  Networks 
are  Up  40%,  USA  TODAY,  Feb.  17,  2009,  at  1  A;  Byron  Acohido,  Obama  Taps  Cybersecurity  Expert  to  Assess 
U.S.  Defenses,  USA  TODAY,  Feb.  17,  2009,  at  8B;  Byron  Acohido,  White  House  Urged  to  Stop  Cyberattacks, 
USA  TODAY.COM,  Mar.  11, 2009,  http://blogs.usatoday.eom/technologylive/2009/03/the-united-stat.html; 
Center  for  Strategic  and  Int’l  Stud.  Commission  on  Securing  Cyberspace  for  the  44th  Presidency, 
Securing  Cyberspace  for  the  44th  Presidency  8  (2008)  (recommending  to  the  President  to  direct  the 
Attorney  General  to  reexamine  the  law,  and  “issue  guidelines  as  to  the  circumstances  and  requirements  for  the 
use  of . . .  [the]  military  ...  in  cyber  incidents”). 


103 


